diff --git a/CVE-2018-14031.patch b/CVE-2018-14031.patch new file mode 100644 index 0000000000000000000000000000000000000000..472ca26b832f33703855c231d04cedac990b8ddc --- /dev/null +++ b/CVE-2018-14031.patch @@ -0,0 +1,32 @@ +From 25492f3cac49e611456165fe1f36777b699a73ec Mon Sep 17 00:00:00 2001 +From: starlet-dx <15929766099@163.com> +Date: Fri, 31 Mar 2023 11:31:34 +0800 +Subject: [PATCH 1/1] H5O_dtype_decode_helper: Parent of enum needs to have same size as enum itself (#2237) + +The size of the enumeration values is determined by the size of the parent. +Functions accessing the enumeration values use the size of the enumeration to determine the size of each element and how much data to copy. Thus the size of the enumeration and its parent need to match. +Check here to avoid unpleasant surprises later. + +This fixes CVE-2018-14031 / Bug #2236. + +Signed-off-by: Egbert Eich +--- + src/H5Odtype.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/H5Odtype.c b/src/H5Odtype.c +index 85fbef4..513412f 100644 +--- a/src/H5Odtype.c ++++ b/src/H5Odtype.c +@@ -459,6 +459,8 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags/*in,out*/, const uint8_t **p + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, FAIL, "memory allocation failed") + if(H5O_dtype_decode_helper(f, ioflags, pp, dt->shared->parent) < 0) + HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode parent datatype") ++ if (dt->shared->parent->shared->size != dt->shared->size) ++ HGOTO_ERROR(H5E_DATATYPE, H5E_BADSIZE, FAIL, "ENUM datatype size does not match parent") + + /* Check if the parent of this enum has a version greater than the + * enum itself. */ +-- +2.30.0 + diff --git a/CVE-2018-16438.patch b/CVE-2018-16438.patch new file mode 100644 index 0000000000000000000000000000000000000000..e87120ba2cdee5bb10c72b786ecccb6d40b12f7c --- /dev/null +++ b/CVE-2018-16438.patch @@ -0,0 +1,32 @@ +From 03c87bad2d7505e9d2709c0cd5483c4e1977e67d Mon Sep 17 00:00:00 2001 +From: starlet-dx <15929766099@163.com> +Date: Fri, 31 Mar 2023 10:56:39 +0800 +Subject: [PATCH 1/1] Make sure info block for external links has at least 3 bytes (#2234) + +According to the specification, the information block for external links contains 1 byte of version/flag information and two 0 terminated strings for the object linked to and the full path. +Although not very useful, the minimum string length for each (with terminating 0) would be one byte. +Checking this will help to avoid SEGVs triggered by bogus files. + +This fixes CVE-2018-16438 / Bug #2233. + +Signed-off-by: Egbert Eich +--- + src/H5Olink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/H5Olink.c b/src/H5Olink.c +index e48ec45..3437286 100644 +--- a/src/H5Olink.c ++++ b/src/H5Olink.c +@@ -247,6 +247,8 @@ H5O_link_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *op + /* A UD link. Get the user-supplied data */ + UINT16DECODE(p, len) + lnk->u.ud.size = len; ++ if (lnk->type == H5L_TYPE_EXTERNAL && len < 3) ++ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "external link information lenght < 3") + if(len > 0) + { + /* Make sure that length doesn't exceed buffer size, which could +-- +2.30.0 + diff --git a/hdf5.spec b/hdf5.spec index 470fcc705d29cea2b2bf6d3cda2c4c3c1b68e342..357e94ed25bc94d068779ee64084af9911ef21ce 100644 --- a/hdf5.spec +++ b/hdf5.spec @@ -9,9 +9,9 @@ Name: hdf5 Version: 1.8.20 -Release: 14 +Release: 15 Summary: A data model, library, and file format for storing and managing data -License: GPL +License: GPL-2.0-or-later and BSD-3-Clause URL: https://portal.hdfgroup.org/display/HDF5/HDF5 Source0: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.20/src/hdf5-1.8.20.tar.bz2 @@ -30,6 +30,8 @@ Patch10: CVE-2018-17432.patch Patch11: CVE-2018-17435.patch Patch12: CVE-2018-13869-CVE-2018-13870.patch Patch13: CVE-2018-13873.patch +Patch14: CVE-2018-16438.patch +Patch15: CVE-2018-14031.patch BuildRequires: gcc, gcc-c++ BuildRequires: krb5-devel, openssl-devel, zlib-devel, gcc-gfortran, time @@ -365,6 +367,9 @@ make %{?_smp_mflags} -C build check %endif %changelog +* Fri Mar 31 2023 yaoxin - 1.8.20-15 +- Fix CVE-2018-16438 and CVE-2018-14031 + * Fri Sep 10 2021 wangyue - 1.8.20-14 - fix rpath error