Bug 1202620 (CVE-2022-25942)

Summary: VUL-0: CVE-2022-25942: hdf5: out-of-bounds read vulnerability in the gif2h5 functionality
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: HPC Issue Tracker <hpc-bugs>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, eich, gabriele.sonnu, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/340423/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2022-08-23 06:43:23 UTC 
CVE-2022-25942

An out-of-bounds read vulnerability exists in the gif2h5 functionality of HDF5
Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution.
An attacker can provide a malicious file to trigger this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25942
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25942
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1486
Comment 1 Alexander Bergmann 2022-08-23 07:10:04 UTC 
From the version numbers all SUSE related packages seam to be clear.

SUSE:SLE-12-SP2:GA:Products:Update/hdf5  hdf5-1.10.8
SUSE:SLE-15:Update/hdf5                  hdf5-1.10.8
SUSE:SLE-15-SP1:Update/hdf5              hdf5-1.10.8
SUSE:SLE-15-SP2:Update/hdf5              hdf5-1.10.8
SUSE:SLE-15-SP3:Update/hdf5              hdf5-1.10.8
SUSE:SLE-15-SP4:GA/hdf5                  hdf5-1.10.8


There is no direct reference to a patch or git commit. We will leave the bug report open to check the correctness.
Comment 4 Gabriele Sonnu 2022-09-07 07:19:13 UTC 
Not affected since we don't ship the GIF tools. Closing.