Hi Gilles,
since nobody responded to your question (I did not respond as well since
none of my packages uses this tool) here some opinion from me: No
contradiction means agreement - thus just go for it.
Thanks a lot for caring for hdf5 libraries
Andreas.
Am Sat, Feb 25, 2023 at 10:37:58PM +0100 schrieb Gilles Filippini:
> Hi debian-science,
>
> Three CVE were recently reported [1] against gif2h5. When I asked the HDF
> group about these CVE I had this answer:
>
> > Those appear to be flaws in a small, poorly-written, command-line tool
> (gif2h5) and not the HDF5 library itself. This is only a concern if you have
> built a service that uses the tool. I am very surprised that those CVE
> issues were given high scores given how rarely the tool is used in a
> production environment.
> >
> > I have no fix ETA since my plan is to move the tool to a separate
> repository. Valgrind has always complained about that tool and the code
> doesn't seem worth fixing.
> >
> > You can avoid the issue entirely by not deploying or exposing the gif2h5
> tool. This can be done at configure time via the --disable-hltools configure
> option (in CMake, set HDF5_BUILD_HL_TOOLS to OFF) which will disable
> building the high-level tools.
>
> What do you think about removing gif2h5 from the hdf5-tools package?
>
> And would it be OK to fix HDF5 in stable and oldstable this way?
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031726
>
> Thanks in advance,
> _g.
>
>
--
http://fam-tille.de
