Hi Tobias,

The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release 
that you can obtain here:
 
   https://support.hdfgroup.org/HDF5/release/obtain518.html

For the issues fixed, please see the RELEASE.txt file:

   https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt

Unfortunately, we failed to indicate the corresponding TALOS reports. Here they 
are:

CVE-2016-4330:  HDF5 bug  HDFFV-9992 (TALOS-2016-176) 
CVE-2016-4331:  HDF5 bug  HDFFV-9951 (TALOS-2016-177)
CVE-2016-4332:  HDF5 bug  HDFFV-9950 (TALOS-2016-178)
CVE-2016-4333:  HDF5 bug  HDFFV-9993 (TALOS-2016-179))

The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release 
coming in January 2017.

-Barbara


-----Original Message-----
From: Hdf-forum [mailto:hdf-forum-boun...@lists.hdfgroup.org] On Behalf Of 
Tobias Richter
Sent: Thursday, December 01, 2016 2:48 AM
To: HDF Users Discussion List
Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333

Hi,

Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333


I understand there is some risk opening untrusted HDF5 files with an unfixed 
library. Some linux distributions have pushed out patched versions (for example 
Debian), but I’m not sure there is a source release available (or a binary 
build for that matter) from the HDF group. At least I could not see any 
announcement in this mailing list or on their web page.

Best wishes,
Tobias


_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5

Reply via email to