Bug 1625424 (CVE-2018-16438) - CVE-2018-16438 hdf5: out of bounds read in H5L_extern_query at H5Lexternal.c
Summary: CVE-2018-16438 hdf5: out of bounds read in H5L_extern_query at H5Lexternal.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16438
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1625427 1625426 1629505 1629506 1629507 1629508 1629509 1629510
Blocks: 1625428
TreeView+ depends on / blocked
 
Reported: 2018-09-04 22:03 UTC by Laura Pardo
Modified: 2021-10-25 22:15 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out of bounds read in H5L_extern_query at H5Lexternal.c was discovered in the HDF HDF5 1.8.20 library. Using a specially crafted file, an attacker could cause a denial of service condition due to inadequate bounds checking.
Clone Of:
Environment:
Last Closed: 2021-10-25 22:15:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2018-09-04 22:03:25 UTC 
An issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in H5L_extern_query at H5Lexternal.c.


References:
https://github.com/TeamSeri0us/pocs/tree/master/hdf5/h5stat
Comment 1 Laura Pardo 2018-09-04 22:05:02 UTC 
Created hdf5 tracking bugs for this issue:

Affects: epel-all [bug 1625427]
Affects: fedora-all [bug 1625426]
Comment 2 James Hebden 2018-09-17 01:16:58 UTC 
Reproduced in hdf5 package on all RHOSP editions, using the provided reproducer file from the linked repository (https://github.com/TeamSeri0us/pocs/tree/master/hdf5/h5stat)

h5stat H5L_extern_query\@H5Lexternal.c\:498-10___out-of-bounds-read
Filename: H5L_extern_query:498-10___out-of-bounds-read
Segmentation fault (core dumped)

No upstream patch or source code analysis has been provided or performed, the backtrace provided in the PoC repository is the current best analysis.
Note You need to log in before you can comment on or make changes to this bug.