Your message dated Wed, 19 Dec 2018 10:50:24 +0000
with message-id <[email protected]>
and subject line Bug#884365: fixed in hdf5 1.10.4+repack-2
has caused the Debian Bug report #884365,
regarding hdf5: CVE-2017-17505 CVE-2017-17506 CVE-2017-17508 CVE-2017-17509
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
884365: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884365
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: hdf5
Version: 1.8.13+docs-1
Severity: important
Tags: security upstream
Hi,
the following vulnerabilities were published for hdf5, the POCs are
found at [5]. Apart of CVE-2017-17509, all are confirmed back to
1.8.13+decs-15+deb8u1, still decided to collect that CVE as well in
this bug, but we can split up by affected version. Not sure as well if
the issues have been reported to upstream.
CVE-2017-17505[0]:
| In HDF5 1.10.1, there is a NULL pointer dereference in the function
| H5O_pline_decode in the H5Opline.c file in libhdf5.a. For example,
| h5dump would crash when someone opens a crafted hdf5 file.
CVE-2017-17506[1]:
| In HDF5 1.10.1, there is an out of bounds read vulnerability in the
| function H5Opline_pline_decode in H5Opline.c in libhdf5.a. For example,
| h5dump would crash when someone opens a crafted hdf5 file.
CVE-2017-17507[2]:
| In HDF5 1.10.1, there is an out of bounds read vulnerability in the
| function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example,
| h5dump would crash when someone opens a crafted hdf5 file.
CVE-2017-17508[3]:
| In HDF5 1.10.1, there is a divide-by-zero vulnerability in the function
| H5T_set_loc in the H5T.c file in libhdf5.a. For example, h5dump would
| crash when someone opens a crafted hdf5 file.
CVE-2017-17509[4]:
| In HDF5 1.10.1, there is an out of bounds write vulnerability in the
| function H5G__ent_decode_vec in H5Gcache.c in libhdf5.a. For example,
| h5dump would crash or possibly have unspecified other impact someone
| opens a crafted hdf5 file.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17505
[1] https://security-tracker.debian.org/tracker/CVE-2017-17506
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17506
[2] https://security-tracker.debian.org/tracker/CVE-2017-17507
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17507
[3] https://security-tracker.debian.org/tracker/CVE-2017-17508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17508
[4] https://security-tracker.debian.org/tracker/CVE-2017-17509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17509
[5] https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: hdf5
Source-Version: 1.10.4+repack-2
We believe that the bug you reported is fixed in the latest version of
hdf5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gilles Filippini <[email protected]> (supplier of updated hdf5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 19 Dec 2018 10:27:23 +0100
Source: hdf5
Binary: libhdf5-103 libhdf5-cpp-103 libhdf5-dev libhdf5-openmpi-103
libhdf5-openmpi-dev libhdf5-mpich-103 libhdf5-mpich-dev libhdf5-mpi-dev
libhdf5-doc hdf5-helpers hdf5-tools libhdf5-java libhdf5-jni
Architecture: source
Version: 1.10.4+repack-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GIS Project <[email protected]>
Changed-By: Gilles Filippini <[email protected]>
Description:
hdf5-helpers - Hierarchical Data Format 5 (HDF5) - Helper tools
hdf5-tools - Hierarchical Data Format 5 (HDF5) - Runtime tools
libhdf5-103 - Hierarchical Data Format 5 (HDF5) - runtime files - serial versio
libhdf5-cpp-103 - Hierarchical Data Format 5 (HDF5) - C++ libraries
libhdf5-dev - Hierarchical Data Format 5 (HDF5) - development files - serial ve
libhdf5-doc - Hierarchical Data Format 5 (HDF5) - Documentation
libhdf5-java - Hierarchical Data Format 5 (HDF5) - Java Wrapper Library
libhdf5-jni - native library used by libhdf5-java
libhdf5-mpi-dev - Hierarchical Data Format 5 (HDF5) - development files -
default M
libhdf5-mpich-103 - Hierarchical Data Format 5 (HDF5) - runtime files - MPICH2
versio
libhdf5-mpich-dev - Hierarchical Data Format 5 (HDF5) - development files -
MPICH ver
libhdf5-openmpi-103 - Hierarchical Data Format 5 (HDF5) - runtime files -
OpenMPI versi
libhdf5-openmpi-dev - Hierarchical Data Format 5 (HDF5) - development files -
OpenMPI v
Closes: 878535 884365
Changes:
hdf5 (1.10.4+repack-2) unstable; urgency=medium
.
* Drop transitional package libhdf5-serial-dev (closes: #878535)
* Fix pkg-config files which contained wrong, old version numbers
(thanks to Elias Kuthe)
.
* Acknowledging fixed CVE in previous releases:
- Fixed in upstream release 1.10.2 (closes: #884365):
. CVE-2017-17505: NULL pointer dereference in function H5O_pline_decod
. CVE-2017-17506: out of bounds read vulnerability in function
H5Opline_pline_decode
. CVE-2017-17508: divide-by-zero vulnerability in function H5T_set_loc
. CVE-2017-17509: out of bounds write vulnerability in function
H5G__ent_decode_vec
- Fixed in upstream release 1.10.3:
. CVE-2018-11202: NULL pointer dereference in function
H5S_hyper_make_spans
. CVE-2018-11203: division by zero in function H5D__btree_decode_key
. CVE-2018-11204: NULL pointer dereference in function
H5O__chunk_deserialize
. CVE-2018-11206: out of bound read in functions H5O_fill_new_decode
and H5O_fill_old_decode
. CVE-2018-11207: division by zero in function H5D__chunk_init
Checksums-Sha1:
44398331826aeedc8602fbc421b56afa1162d261 2656 hdf5_1.10.4+repack-2.dsc
c26d5c4b2e80fa433624d01b72f44eea807004be 129816
hdf5_1.10.4+repack-2.debian.tar.xz
8b3c374793beb0e83c5398e7ce28cc957804c68d 10322
hdf5_1.10.4+repack-2_source.buildinfo
Checksums-Sha256:
79b5a0c722597b20ba0d013c42c6106faa474fa6636aa2418b11bc24fa0c7294 2656
hdf5_1.10.4+repack-2.dsc
8accbbb3735f3b75d6b3b65b7ee7da9406938c13c11e2e7207f500d7a0f19ede 129816
hdf5_1.10.4+repack-2.debian.tar.xz
a1eebeab41359ce7b5f7506461c0d585910ea1611f459a7ca3288ad5b993cd3a 10322
hdf5_1.10.4+repack-2_source.buildinfo
Files:
7ce55b71bdc3a4e72da6e86c0249e65c 2656 science optional hdf5_1.10.4+repack-2.dsc
200cb6b978eb7254728e74b4c5f37077 129816 science optional
hdf5_1.10.4+repack-2.debian.tar.xz
a9de170ea234d782103ae24e5c1ec6ff 10322 science optional
hdf5_1.10.4+repack-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCgAuFiEEoJObzArDE05WtIyR7+hsbH/+z4MFAlwaHq8QHHBpbmlAZGVi
aWFuLm9yZwAKCRDv6Gxsf/7Pg7fGB/4z9TDv1lSWFoQy/khJmflXb8pyjAb7cukQ
7cpxWnBd+NvzEb4Hqs8S22YTPzfeTorTPW/ViIG4vWg003lWfOIjjBzrPLEe66X+
MDUZ7Sg9dHHIKbroeno4v5+sRni2LIsm2m6pFG5cq/O0R8vOZb2jc9F0+KaWJHuT
JQ76Mmv8vG3MwJNxdjKhHrhESbJ3NANBj2pzEe0ALa1pr9e1JWiuIwUIO6TX8uBQ
y3QvB+b1vK7KNmjP0EsDI5ZgEk4b+5Hc0aqC3NUTrhIX9VNVEktVfa8izHX9PGNm
pc4J+wlGQ1OmtT0p+El8SaxY882L6d9StYRh9tvtCUEQP3IrlHcH
=znft
-----END PGP SIGNATURE-----
--- End Message ---