Hi fellow LTS maintainers During triaging of hdf5 I have checked four CVEs. - CVE-2016-4330 https://security-tracker.debian.org/tracker/CVE-2016-4330 - CVE-2016-4331 https://security-tracker.debian.org/tracker/CVE-2016-4331 - CVE-2016-4332 https://security-tracker.debian.org/tracker/CVE-2016-4332 - CVE-2016-4333 https://security-tracker.debian.org/tracker/CVE-2016-4333
All of them are related to heap overflow that "can potentially cause arbitrary code exection". This is a security problem, but the question is how important it is. The crash is a DoS problem, but my guess that from that perspective the worst thing that will happen is that the person opening the file will be a little upset and blame the person sending the file. However this can also potentially cause a arbitrary code execution problem and that is definitely worse. Someone could execute something as some other user on a system where it should not be run. I do however think that this is less of an issue as files are not loaded automatically (my assumption), but rather by a person who get a file from a hopefully rather trusted source. Also I have in other discussions got the impression that gcc nowadays have some kind of heap protection that prevent overwrite of data causing arbitrary code execution. I may be wrong however. All in all I'm leaning towards marking these as no-dsa, but I would like your advice before doing so. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
