From: Sudhir Dumbhare <[email protected]> Upstream Repository: https://github.com/HDFGroup/hdf5.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2912 Type: Security Fix CVE: CVE-2025-2912 Score: 4.8 Patch: https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a Analysis: - CVE-2025-2913 was previously fixed by [1], which is also addresses CVE-2025-2912 as noted in [4]. - NVD [2] references the GitHub discussion [3] for CVE-2025-2912, and we successfully reproduced the issue following the steps outlined there. - Applied the fix from [4] and verified resolution using the reproduction steps. - The same patch [4] is already included in OE-scarthgap [5] for CVE-2025-2913. - Therefore, reused the patch from [5] to resolve CVE-2025-2912. References: [1] https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a [2] https://nvd.nist.gov/vuln/detail/CVE-2025-2912 [3] https://github.com/HDFGroup/hdf5/issues/5370#issue-2917388806 [4] https://github.com/HDFGroup/hdf5/issues/5370#issuecomment-3542881855 [5] https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-support/hdf5?h=scarthgap&id=b42e6eb3e51a Signed-off-by: Sudhir Dumbhare <[email protected]> --- .../{CVE-2025-2913.patch => CVE-2025-2913-CVE-2025-2912.patch} | 3 ++- meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) rename meta-oe/recipes-support/hdf5/files/{CVE-2025-2913.patch => CVE-2025-2913-CVE-2025-2912.patch} (94%) diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch similarity index 94% rename from meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch rename to meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch index e1614bee9b..47c887597a 100644 --- a/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch @@ -9,10 +9,11 @@ one of the free lists. It appeared that the library came to this vulnerability after it encountered an undetected reading of a bad value. The fuzzer now failed with an appropriate error message. -CVE: CVE-2025-2913 +CVE: CVE-2025-2913 CVE-2025-2912 Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a09c892bc97ac32d9515c3777ce07] (cherry picked from commit 7cc8b5e1010a09c892bc97ac32d9515c3777ce07) Signed-off-by: Ankur Tyagi <[email protected]> +Signed-off-by: Sudhir Dumbhare <[email protected]> --- src/H5Ocont.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 8a37323536..e8432f0d6b 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -15,7 +15,7 @@ SRC_URI = " \ https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \ file://0002-Remove-suffix-shared-from-shared-library-name.patch \ file://0001-cmake-remove-build-flags.patch \ - file://CVE-2025-2913.patch \ + file://CVE-2025-2913-CVE-2025-2912.patch \ file://CVE-2025-2914.patch \ file://CVE-2025-2915.patch \ file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \ -- 2.44.4
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122393): https://lists.openembedded.org/g/openembedded-devel/message/122393 Mute This Topic: https://lists.openembedded.org/mt/116689930/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
