Source: hdf5 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for hdf5. The reports mentioned a vendor disclosure, but not sure when/how. CVE-2022-26061[0]: | A heap-based buffer overflow vulnerability exists in the gif2h5 | functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF | file can lead to code execution. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1487 CVE-2022-25972[1]: | An out-of-bounds write vulnerability exists in the gif2h5 | functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF | file can lead to code execution. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1485 CVE-2022-25942[2]: | An out-of-bounds read vulnerability exists in the gif2h5 functionality | of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1486 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-26061 https://www.cve.org/CVERecord?id=CVE-2022-26061 [1] https://security-tracker.debian.org/tracker/CVE-2022-25972 https://www.cve.org/CVERecord?id=CVE-2022-25972 [2] https://security-tracker.debian.org/tracker/CVE-2022-25942 https://www.cve.org/CVERecord?id=CVE-2022-25942 Please adjust the affected versions in the BTS as needed.