Bugzilla – Bug 1072093
VUL-1: CVE-2017-17507: hdf5: Out of bounds read in the function H5T_conv_struct_opt
Last modified: 2022-10-26 14:43:56 UTC
Created attachment 752265 [details] Reproducer CVE-2017-17507 In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file. h5dump 3-hdf5-outbound-read-H5T_conv_struct_opt References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17507
SUSE will not provide a fix for this issue since the risk to our customers posed by this is negligible.
Quote from the hdf5 release notes: - If an HDF5 file contains a malformed compound datatype with a suitably large offset, the type conversion code can run off the end of the type conversion buffer, causing a segmentation fault. This issue was reported to The HDF Group as issue #CVE-2017-17507. NOTE: The HDF5 C library cannot produce such a file. This condition should only occur in a corrupt (or deliberately altered) file or a file created by third-party software. THE HDF GROUP WILL NOT FIX THIS BUG AT THIS TIME Fixing this problem would involve updating the publicly visible H5T_conv_t function pointer typedef and versioning the API calls which use it. We normally only modify the public API during major releases, so this bug will not be fixed at this time."
SEGV during read: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff79026de in H5F_addr_decode_len (addr_len=8, pp=0x7fffffffa4f8, addr_p=0x7fffffffa4f0) at H5Fint.c:2486 2486 c = *(*pp)++; Missing separate debuginfos, use: zypper install libz1-debuginfo-1.2.11-150000.3.33.1.x86_64 (gdb) x/i $pc => 0x7ffff79026de <H5F_addr_decode_len+76>: movzbl (%rcx),%ecx
On 1.10.8 this runs without reporting an error.
This bug is not marked fixed by upstream while it no longer triggers on 1.10.8. Upstream ticket: https://jira.hdfgroup.org/browse/HDFFV-10356