Bug#884365: hdf5: CVE-2017-17505 CVE-2017-17506 CVE-2017-17507 CVE-2017-17508 CVE-2017-17509
Source: hdf5 Version: 1.8.13+docs-1 Severity: important Tags: security upstream Hi, the following vulnerabilities were published for hdf5, the POCs are found at [5]. Apart of CVE-2017-17509, all are confirmed back to 1.8.13+decs-15+deb8u1, still decided to collect that CVE as well in this bug, but we can split up by affected version. Not sure as well if the issues have been reported to upstream. CVE-2017-17505[0]: | In HDF5 1.10.1, there is a NULL pointer dereference in the function | H5O_pline_decode in the H5Opline.c file in libhdf5.a. For example, | h5dump would crash when someone opens a crafted hdf5 file. CVE-2017-17506[1]: | In HDF5 1.10.1, there is an out of bounds read vulnerability in the | function H5Opline_pline_decode in H5Opline.c in libhdf5.a. For example, | h5dump would crash when someone opens a crafted hdf5 file. CVE-2017-17507[2]: | In HDF5 1.10.1, there is an out of bounds read vulnerability in the | function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example, | h5dump would crash when someone opens a crafted hdf5 file. CVE-2017-17508[3]: | In HDF5 1.10.1, there is a divide-by-zero vulnerability in the function | H5T_set_loc in the H5T.c file in libhdf5.a. For example, h5dump would | crash when someone opens a crafted hdf5 file. CVE-2017-17509[4]: | In HDF5 1.10.1, there is an out of bounds write vulnerability in the | function H5G__ent_decode_vec in H5Gcache.c in libhdf5.a. For example, | h5dump would crash or possibly have unspecified other impact someone | opens a crafted hdf5 file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17505 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17505 [1] https://security-tracker.debian.org/tracker/CVE-2017-17506 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17506 [2] https://security-tracker.debian.org/tracker/CVE-2017-17507 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17507 [3] https://security-tracker.debian.org/tracker/CVE-2017-17508 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17508 [4] https://security-tracker.debian.org/tracker/CVE-2017-17509 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17509 [5] https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md Regards, Salvatore ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#875690: Fixed in FreeXL 1.0.4
Hi Bas, On Sun, Sep 17, 2017 at 12:01:53AM +0200, Sebastiaan Couwenberg wrote: > Hi Salvatore, > > On 09/13/2017 07:27 PM, Bas Couwenberg wrote: > > Should be fixed in the new upstream release: > > > > https://groups.google.com/forum/m/#!topic/spatialite-users/Wpj62XSzcZY > > > > I'm not able to work on this until I return from VAC. > > I've cherry-picked the changes from 1.0.4 and prepared updates for > stretch, jessie & wheezy. The changes are available in git, and the > debdiffs are attached. > > * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch > * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie > * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy > > Are these OK to upload? Thanks for those for jessie- and stretch-security, debdiffs look good to me. Assuming you got a chance to test the resulting packages please do upload the jessie- and stretch-security ones. Remember to build the one for stretch-security with -sa since it's new to dak on security-master. For wheezy, there is a dedicated team taking care of LTS. So you might want to contact debian-lts@l.d.o. Thanks for your work, much appreciated! Regards, Salvatore FTR, for future references, please Cc the security team when you have debdiffs ready for a security-upload, this way we can distribute the DSA load for the available team members :) signature.asc Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#845301: hdf5: CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333
Source: hdf5 Version: 1.8.16+docs-8 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerabilities were published for hdf5. CVE-2016-4330[0]: | In the HDF5 1.8.16 library's failure to check if the number of | dimensions for an array read from the file is within the bounds of the | space allocated for it, a heap-based buffer overflow will occur, | potentially leading to arbitrary code execution. CVE-2016-4331[1]: | When decoding data out of a dataset encoded with the H5Z_NBIT | decoding, the HDF5 1.8.16 library will fail to ensure that the | precision is within the bounds of the size leading to arbitrary code | execution. CVE-2016-4332[2]: | The library's failure to check if certain message types support a | particular flag, the HDF5 1.8.16 library will cast the structure to an | alternative structure and then assign to fields that aren't supported | by the message type and the library will write outside the bounds of | the heap buffer. This can lead to code execution under the context of | the library. CVE-2016-4333[3]: | The HDF5 1.8.16 library allocating space for the array using a value | from the file has an impact within the loop for initializing said | array allowing a value within the file to modify the loop's | terminator. Due to this, an aggressor can cause the loop's index to | point outside the bounds of the array when initializing it. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-4330 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330 [1] https://security-tracker.debian.org/tracker/CVE-2016-4331 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331 [2] https://security-tracker.debian.org/tracker/CVE-2016-4332 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332 [3] https://security-tracker.debian.org/tracker/CVE-2016-4333 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#734565: mapserver: CVE-2013-7262
Hi Sebastiaan, On Wed, Jan 08, 2014 at 11:15:56PM +0100, Sebastiaan Couwenberg wrote: Hi Salvatore, On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote: On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote: On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote: If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. The new mapserver packages were prepared before the CVE was available. I've prepared new mapserver packages for squeeze and wheezy with only the fix for this CVE, the new stable upstream release route I initially took is not proper to fix this issue. mapserver (6.0.1-3.2+deb7u2) for wheezy: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc mapserver (5.6.5-2+squeeze3) for squeeze: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc The squeeze package contained debhelper.log files in the debian/ directory, which caused problems for clean pbuilder builds so they were removed. And dpatch insisted in changing the permissions. I've included these changes in the squeeze package too. Please adjust the affected versions in the BTS as needed, at least unstable from looking at source seems affected. Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy and squeeze still are, but the proposed updates for both are waiting for feedback from the release team: Could you clarify if second commit referenced in https://github.com/mapserver/mapserver/issues/4834 (WFS-2 specific fixes for postgis time sql injections (#4834,#4815)) is also needed? Is this relevant for Debian? No, the WFS-2 specific commit shouldn't be relevant for Debian yet. The vulnerability was discovered during the implementation of WFS 2.0 support in MapServer. That support only lives in the master branch for now and will be included in the next major upstream release. Okay thanks for this explanation. Regarding the upload for security: We have tagged this issue 'no-dsa'[1] meaning that no DSA is planned for this vulnerability only. So if you are planning to do a (old)stable-proposed-updates upload, the above can be included there (either by updating to a update to a upstream version as you propose or by an isolated patch; depends on what release teams would like to have for these two opu and pu requests). [1] https://security-tracker.debian.org/tracker/CVE-2013-7262 Thanks again for the quick followups, Regards, Salvatore signature.asc Description: Digital signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#519575: hdf5: possible to package new upstream version?
Package: hdf5 Version: 1.6.6-4 Severity: wishlist Hi There seems to be a new upstream version of hdf5 (1.8.2). Would it be possible to package the new version? Kind regards Salvatore -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.28.1-1-t42 (PREEMPT) Locale: LANG=C, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#515579: libhdf5-openmpi-dev: mpi.h and mpio.h are not found
Hi I ran into the same problem as #515579 when packaging udav. Are there any news on that? Kind regards Salvatore signature.asc Description: Digital signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel