Bug 1167404 - (CVE-2020-10809) VUL-0: CVE-2020-10809: hdf5: A heap-based buffer overflow exists in the function Decompress() located in decompress.c (in HDF5 through 1.12.0).
(CVE-2020-10809)
VUL-0: CVE-2020-10809: hdf5: A heap-based buffer overflow exists in the funct...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/255571/
CVSSv3.1:SUSE:CVE-2020-10809:8.1:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-23 09:52 UTC by Hans Loehr
Modified: 2022-09-07 07:09 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans Loehr 2020-03-23 09:52:23 UTC
CVE-2020-10809

An issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow
exists in the function Decompress() located in decompress.c. It can be triggered
by sending a crafted file to the gif2h5 binary. It allows an attacker to cause
Denial of Service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10809
https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10809
https://research.loginsoft.com/bugs/heap-overflow-in-decompress-c-hdf5-1-13-0/
https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/browse/release_docs/RELEASE.txt
Comment 1 Hans Loehr 2020-03-25 10:27:17 UTC
To reproduce, see:
https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_1

At least SLE15-SP1 and SLE12-SP2 are affected; probably other versions, too.
Comment 2 Hans Loehr 2020-03-25 12:50:39 UTC
SLE15 has the same code (same version of hdf5) as SLE12-SP2;

SLE12 has an older version, but the relevant code looks the same.
=> probably also affected.
Comment 5 OBSbugzilla Bot 2022-05-04 12:40:23 UTC
This is an autogenerated message for OBS integration:
This bug (1167404) was mentioned in
https://build.opensuse.org/request/show/974903 Factory / hdf5
Comment 6 Egbert Eich 2022-05-05 10:40:48 UTC
This is fixed by disabling building of the GIF tool in 1.10.8.
Comment 11 Swamp Workflow Management 2022-06-01 13:18:51 UTC
SUSE-SU-2022:1903-1: An update that solves 27 vulnerabilities, contains four features and has 5 fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150100.7.4.3
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150100.7.4.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-06-01 19:20:05 UTC
SUSE-SU-2022:1910-1: An update that solves 27 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1167401,1167404,1167405,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150200.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150200.8.4.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150200.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150200.8.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-06-02 13:18:22 UTC
SUSE-SU-2022:1912-1: An update that solves 15 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1093657,1101471,1101474,1102175,1109167,1109168,1109564,1109565,1109566,1109568,1109569,1109570,1167401,1167404,1167405,1179521,1196682
CVE References: CVE-2018-11206,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2
openSUSE Leap 15.3 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2
SUSE Linux Enterprise Module for HPC 15-SP3 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-06-02 13:21:37 UTC
SUSE-SU-2022:1911-1: An update that solves 27 vulnerabilities, contains four features and has 8 fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1116458,1124509,1133222,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150000.8.4.3, suse-hpc-0.5.20220206.0c6b168-150000.11.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150000.8.4.3, suse-hpc-0.5.20220206.0c6b168-150000.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-06-03 13:19:12 UTC
SUSE-SU-2022:1933-1: An update that solves 27 vulnerabilities, contains four features and has 17 fixes is now available.

Category: security (important)
Bug References: 1058563,1072087,1072090,1072108,1072111,1080022,1080259,1080426,1080442,1082209,1084951,1088547,1091237,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1116458,1124509,1133222,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-3.12.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2, hdf5_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2, suse-hpc-0.5.20220206.0c6b168-5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Gabriele Sonnu 2022-09-06 13:50:56 UTC
Done.
Comment 17 Egbert Eich 2022-09-07 07:09:15 UTC
The reproducer crashes in different code than described in:
https://research.loginsoft.com/vulnerability/heap-overflow-in-decompress-c-hdf5-1-13-0/
Program received signal SIGSEGV, Segmentation fault.
0x0000000000405ad4 in ReadCode () at decompress.c:85
85	    RawCode = Raster[ByteOffset] + (0x100 * Raster[ByteOffset + 1]);