Bug 1109566 - (CVE-2018-17434) VUL-0: CVE-2018-17434: hdf5: A SIGFPE signal is raised in the function apply_filters() of h5repack_filters.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against div
(CVE-2018-17434)
VUL-0: CVE-2018-17434: hdf5: A SIGFPE signal is raised in the function apply_...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: HPC Issue Tracker
Security Team bot
https://smash.suse.de/issue/215499/
CVSSv3:SUSE:CVE-2018-17434:6.5:(AV:N...
:
Depends on:
Blocks: 1101742
  Show dependency treegraph
 
Reported: 2018-09-25 06:46 UTC by Alexander Bergmann
Modified: 2022-06-03 13:18 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-09-25 06:46:34 UTC
CVE-2018-17434

A SIGFPE signal is raised in the function apply_filters() of h5repack_filters.c
in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted
HDF file, because of incorrect protection against division by zero. It could
allow a remote denial of service attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17434
http://www.cvedetails.com/cve/CVE-2018-17434/
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters
Comment 2 Egbert Eich 2022-05-05 10:39:44 UTC
This issue has been fixed in 1.10.5.
Now:
$ h5repack -f GZIP=8 -l dset1:CHUNK=5x6 SIGFPE_apply_filters_h5repack_filters test11.h5
Error occurred while repacking
Comment 3 OBSbugzilla Bot 2022-05-05 10:40:04 UTC
This is an autogenerated message for OBS integration:
This bug (1109566) was mentioned in
https://build.opensuse.org/request/show/975082 Factory / hdf5
Comment 8 Swamp Workflow Management 2022-06-01 13:18:20 UTC
SUSE-SU-2022:1903-1: An update that solves 27 vulnerabilities, contains four features and has 5 fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150100.7.4.3
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150100.7.4.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-06-01 19:19:39 UTC
SUSE-SU-2022:1910-1: An update that solves 27 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1167401,1167404,1167405,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150200.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150200.8.4.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150200.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150200.8.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-06-02 13:17:58 UTC
SUSE-SU-2022:1912-1: An update that solves 15 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1093657,1101471,1101474,1102175,1109167,1109168,1109564,1109565,1109566,1109568,1109569,1109570,1167401,1167404,1167405,1179521,1196682
CVE References: CVE-2018-11206,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2
openSUSE Leap 15.3 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2
SUSE Linux Enterprise Module for HPC 15-SP3 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150300.4.3.1, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150300.4.3.2, hdf5_1_10_8-gnu-openmpi4-hpc-1.10.8-150300.4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-06-02 13:20:52 UTC
SUSE-SU-2022:1911-1: An update that solves 27 vulnerabilities, contains four features and has 8 fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1116458,1124509,1133222,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150000.8.4.3, suse-hpc-0.5.20220206.0c6b168-150000.11.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150000.8.4.3, suse-hpc-0.5.20220206.0c6b168-150000.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-06-03 13:18:24 UTC
SUSE-SU-2022:1933-1: An update that solves 27 vulnerabilities, contains four features and has 17 fixes is now available.

Category: security (important)
Bug References: 1058563,1072087,1072090,1072108,1072111,1080022,1080259,1080426,1080442,1082209,1084951,1088547,1091237,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1116458,1124509,1133222,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-3.12.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2, hdf5_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2, suse-hpc-0.5.20220206.0c6b168-5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.