Bug 19874

Summary:	hdf5 new security issues CVE-2016-433[0-3]
Product:	Mageia	Reporter:	Zombie Ryushu <zombie_ryushu>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, jim, lewyssmith, luigiwalser, marja11, mhrambo3501, sysadmin-bugs, tarazed25
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://lwn.net/Vulnerabilities/707696/
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Source RPM:	hdf5-1.8.15-2.mga6.src.rpm	CVE:
Status comment:
Attachments:	Notes from a web tutorial on the HDF container format.

Description Zombie Ryushu 2016-12-01 00:30:59 CET

Cisco Talos discovered that hdf5, a file format and library for
storing scientific data, contained several vulnerabilities that could
lead to arbitrary code execution when handling untrusted data.

Zombie Ryushu 2016-12-01 00:31:23 CET

URL: (none) => http://www.linuxsecurity.com/content/view/169988/170/

Comment 1 Marja Van Waes 2016-12-01 08:33:37 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Version: 5 => Cauldron
Assignee: bugsquad => pkg-bugs
Source RPM: (none) => hdf5
Whiteboard: (none) => MGA5TOO

Comment 2 David Walser 2016-12-01 15:08:58 CET

Debian has issued an advisory on November 30:
https://www.debian.org/security/2016/dsa-3727

More information at the Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301

URL: http://www.linuxsecurity.com/content/view/169988/170/ => https://lwn.net/Vulnerabilities/707696/
CC: (none) => luigiwalser
Summary: hdf5 security vulnerability CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333 => hdf5 new security issues CVE-2016-433[0-3]
Source RPM: hdf5 => hdf5-1.8.15-2.mga6.src.rpm

Comment 3 Mike Rambo 2016-12-09 20:09:44 CET

Updated package has been uploaded for cauldron.

CC: (none) => mrambo
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Mike Rambo 2016-12-09 20:16:24 CET

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated hdf5 package fixes security vulnerability:

In the HDF5 1.8.16 library's failure to check if the number of dimensions  for an array read from the file is within the bounds of the space allocated for it, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution (CVE-2016-4330).

When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution (CVE-2016-4331).

The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library (CVE-2016-4332).

The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it (CVE-2016-4333).

References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301
https://security-tracker.debian.org/tracker/CVE-2016-4330
https://security-tracker.debian.org/tracker/CVE-2016-4331
https://security-tracker.debian.org/tracker/CVE-2016-4332
https://security-tracker.debian.org/tracker/CVE-2016-4333
========================

Updated packages in core/updates_testing:
========================
hdf5-1.8.13-4.1.mga5
hdf5-debuginfo-1.8.13-4.1.mga5
lib64hdf5_8-1.8.13-4.1.mga5
lib64hdf5-devel-1.8.13-4.1.mga5
lib64hdf5_hl8-1.8.13-4.1.mga5

from hdf5-1.8.13-4.1.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 5 Len Lawrence 2016-12-25 01:48:40 CET

Tackling this for x86_64.  It involves following a tutorial so may take some time.  What else does one do on Christmas Day?

CC: (none) => tarazed25

Comment 6 Len Lawrence 2016-12-25 03:15:49 CET

Created attachment 8817 [details]
Notes from a web tutorial on the HDF container format.

This is a personal narrative based on following the HDF tutorial online. 
For QA a quick look at the tutorial should be sufficient to acquire an elementary grasp of the subject, sufficient to demonstrate that HDF is working at the C level.  There are also Java, Fortran and C++ interfaces.

Comment 7 Len Lawrence 2016-12-26 01:01:44 CET

The copious examples in the tutorial show how to create datasets but development of PoCs for the CVEs cited requires a more intimate understanding of the binary coding of the outputs.  I tried blindly corrupting the heap section of a simple dataset using emacs and as expected produced a file for which h5dump raised an error.

So, having successfully exercised the example files for the 1_8 branch of the hdf5-examples I shall run the updates and perform the same tests.  That is about all we can do.

Comment 8 Herman Viaene 2016-12-26 15:16:15 CET

MGA-32 on AcerD620 Xfce
No installation issues.
Limited test to first one in webtutorial
$ h5cc -o makesample h5_crtdat.c
In file included from /usr/include/H5public.h:37:0,
                 from /usr/include/hdf5.h:24,
                 from h5_crtdat.c:21:
/usr/include/features.h:148:3: let op: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp]
 # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
   ^
$ ./makesample
$ ls -l
-rw-r--r-- 1 tester5 tester5    1400 dec 26 15:07 dset.h5
-rw-r--r-- 1 tester5 tester5    2080 dec 26 15:00 h5_crtdat.c
-rw-r--r-- 1 tester5 tester5    6008 dec 26 15:07 h5_crtdat.o
-rwxr-xr-x 1 tester5 tester5 7591428 dec 26 15:07 makesample*

$ h5dump dset.h5
HDF5 "dset.h5" {
GROUP "/" {
   DATASET "dset" {
      DATATYPE  H5T_STD_I32BE
      DATASPACE  SIMPLE { ( 4, 6 ) / ( 4, 6 ) }
      DATA {
      (0,0): 0, 0, 0, 0, 0, 0,
      (1,0): 0, 0, 0, 0, 0, 0,
      (2,0): 0, 0, 0, 0, 0, 0,
      (3,0): 0, 0, 0, 0, 0, 0
      }
   }
}
}

$ od -a dset.h5
0000000  ht   H   D   F  cr  nl sub  nl nul nul nul nul nul  bs  bs nul
0000020 eot nul dle nul nul nul nul nul nul nul nul nul nul nul nul nul
0000040 del del del del del del del del   x enq nul nul nul nul nul nul
0000060 del del del del del del del del nul nul nul nul nul nul nul nul
0000100   ` nul nul nul nul nul nul nul soh nul nul nul nul nul nul nul
0000120  bs nul nul nul nul nul nul nul   ( stx nul nul nul nul nul nul
0000140 soh nul soh nul soh nul nul nul can nul nul nul nul nul nul nul
and a lot more, seems working OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 9 Herman Viaene 2016-12-26 15:18:26 CET

Forgot to mention, the hdf5-debuginfo-1.8.13-4.1.mga5  was not there in the repos.

Comment 10 Len Lawrence 2016-12-26 17:01:59 CET

Yes, I looked all over for it.  Not available.

Comment 11 James Kerr 2016-12-26 17:45:37 CET

ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/5/i586/media/debug/core/updates_testing/hdf5-debuginfo-1.8.13-4.1.mga5.i586.rpm

CC: (none) => jim

Comment 12 James Kerr 2016-12-26 17:51:27 CET

https://wiki.mageia.org/en/Debugging_software_crashes#Preliminaries

Note that the "debug" repo's and packages are now called "debuginfo"

Comment 13 James Kerr 2016-12-26 17:54:34 CET

(In reply to James Kerr from comment #12)
> https://wiki.mageia.org/en/Debugging_software_crashes#Preliminaries
> 
> Note that the "debug" repo's and packages are now called "debuginfo"

Sorry - only the packages are called "debuginfo" the repo's are still just "debug"

Comment 14 Len Lawrence 2016-12-26 17:56:39 CET

Thanks James.

x86_64

$ rm -rf hdf5-examples
$ tar xf hdf5-examples.tar

Updated the packages, excluding hdf5-debuginfo.

From ./hdf5-examples/
$ ./configure HSEX_18=1
$ make
$ cd 1_6/C/H5D

$ ./h5ex_d_alloc
Creating datasets...
DS1 has allocation time H5D_ALLOC_TIME_LATE
DS2 has allocation time H5D_ALLOC_TIME_EARLY

Space for DS1 has not been allocated.
Storage size for DS1 is: 0 bytes.
Space for DS2 has been allocated.
Storage size for DS2 is: 112 bytes.

Writing data...

Space for DS1 has been allocated.
Storage size for DS1 is: 112 bytes.
Space for DS2 has been allocated.
Storage size for DS2 is: 112 bytes.
$ h5dump h5ex_d_alloc.h5
HDF5 "h5ex_d_alloc.h5" {
GROUP "/" {
   DATASET "DS1" {
      DATATYPE  H5T_STD_I32LE
      DATASPACE  SIMPLE { ( 4, 7 ) / ( 4, 7 ) }
      DATA {
      (0,0): 0, -1, -2, -3, -4, -5, -6,
      (1,0): 0, 0, 0, 0, 0, 0, 0,
      (2,0): 0, 1, 2, 3, 4, 5, 6,
      (3,0): 0, 2, 4, 6, 8, 10, 12
      }
   }
   DATASET "DS2" {
      DATATYPE  H5T_STD_I32LE
      DATASPACE  SIMPLE { ( 4, 7 ) / ( 4, 7 ) }
      DATA {
      (0,0): 0, -1, -2, -3, -4, -5, -6,
      (1,0): 0, 0, 0, 0, 0, 0, 0,
      (2,0): 0, 1, 2, 3, 4, 5, 6,
      (3,0): 0, 2, 4, 6, 8, 10, 12
      }
   }
}
}

This output agrees with the result posted in h5ex_d_alloc.test.

$ ./h5ex_d_checksum
Filter type is: H5Z_FILTER_FLETCHER32
Maximum value in DS1 is: 1890
$ h5dump h5ex_d_checksum.h5
shows that the last value in the dataset is 1890 and is the largest.

$ ./h5ex_d_compact
Storage layout for DS1 is: H5D_COMPACT
DS1:
 [   0  -1  -2  -3  -4  -5  -6]
 [   0   0   0   0   0   0   0]
 [   0   1   2   3   4   5   6]
 [   0   2   4   6   8  10  12]
$ h5dump h5ex_d_compact.h5
HDF5 "h5ex_d_compact.h5" {
GROUP "/" {
   DATASET "DS1" {
      DATATYPE  H5T_STD_I32LE
      DATASPACE  SIMPLE { ( 4, 7 ) / ( 4, 7 ) }
      DATA {
      (0,0): 0, -1, -2, -3, -4, -5, -6,
      (1,0): 0, 0, 0, 0, 0, 0, 0,
      (2,0): 0, 1, 2, 3, 4, 5, 6,
      (3,0): 0, 2, 4, 6, 8, 10, 12
      }
   }
}
}

Ran several more of these tests and the h5dump output data always agreed with what was expected, registered in the corresponding *.test file.

Len Lawrence 2016-12-26 17:57:00 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 15 Lewis Smith 2016-12-28 10:25:46 CET

Advisory from Comment 4; validated.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 16 Mageia Robot 2016-12-29 11:30:06 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0425.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED