Bug 27771

Summary: hdf5 new security issue CVE-2020-10812
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Chris Denice <eatdirt>
Status: NEW --- QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, luigiwalser, nicolas.salguero
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-10812
Whiteboard: MGA9TOO
Source RPM: hdf5-1.12.2-6.mga10.src.rpm CVE:
Status comment: Fixed upstream in 1.14.4

Description Zombie Ryushu 2020-12-07 00:08:37 CET 
An issue was discovered in HDF5 through 1.12.0. A NULL pointer dereference exists in the function H5F_get_nrefs() located in H5Fquery.c. It allows an attacker to cause Denial of Service.
Comment 1 David Walser 2020-12-07 02:26:16 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10812

Fixed upstream in 1.13.0.

Whiteboard: (none) => MGA7TOO
Severity: normal => major

Comment 2 Lewis Smith 2020-12-07 10:15:23 CET 
This looks right to assign to you, Chris.

Assignee: bugsquad => eatdirt
Version: 7 => Cauldron
Source RPM: hdf5-1.10.7-3.mga8.src => hdf5-1.10.7-3.mga8.src.rpm

Comment 3 Chris Denice 2020-12-12 18:45:54 CET 
Yep, I'll have a look!
Comment 4 Chris Denice 2020-12-12 21:17:02 CET 
There is not such a thing as 1.13.0 version, and in fact this bug is currently unfixed upstream.

Redhat closed it as being quite hardly usable and put it as wontfix. Let me switch the priority to low then, and wait for upstream fix.

cheers,
Chris.

Priority: Normal => Low
Severity: major => normal

Comment 5 David Walser 2020-12-12 21:27:18 CET 
Severity set based on NVD rating, please don't change that.  Low priority is fine.

Summary: hdf5 security issue CVE-2020-10812 => hdf5 new security issue CVE-2020-10812
Severity: normal => major

David Walser 2020-12-27 22:33:51 CET

Status comment: (none) => No fix available as of end of 2020

David Walser 2020-12-28 17:10:31 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 6 David Walser 2021-07-01 18:47:05 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 7 David Walser 2022-06-02 01:15:47 CEST 
There are apparently a lot more security issues in hdf5 that preceded this one (and apparently 1.13.0 does exist, but is vulnerable to some of the issues).  It sounds like the fixes are in 1.10.8 though.

CVE-2017-17505 CVE-2017-17506 CVE-2017-17508
CVE-2017-17509 CVE-2018-11202 CVE-2018-11203
CVE-2018-11204 CVE-2018-11206 CVE-2018-11207
CVE-2018-13869 CVE-2018-13870 CVE-2018-14032
CVE-2018-14033 CVE-2018-14460 CVE-2018-17233
CVE-2018-17234 CVE-2018-17237 CVE-2018-17432
CVE-2018-17433 CVE-2018-17434 CVE-2018-17435
CVE-2018-17436 CVE-2018-17437 CVE-2018-17438
CVE-2020-10809 CVE-2020-10810 CVE-2020-10811

SUSE has issued an advisory for those issues today (June 1):
https://lists.suse.com/pipermail/sle-security-updates/2022-June/011217.html

Status comment: No fix available as of end of 2020 => Possibly fixed in 1.10.8

Comment 8 Chris Denice 2022-06-05 19:27:57 CEST 
Thanks, I'll try an update to 1.10.8. The hdf5 versioning is a nightmare in term of background compat, I still need to investigate how bad is 1.13.0 in that respect.
Comment 9 David Walser 2022-11-02 21:52:14 CET 
SUSE has issued an advisory on November 1:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012787.html

It lists several new CVEs, including the one in the bug title:
CVE-2018-11205 CVE-2018-13867 CVE-2018-14031
CVE-2018-16438 CVE-2018-17439 CVE-2019-8396
CVE-2020-10812 CVE-2021-45830 CVE-2021-45833
CVE-2021-46242 CVE-2021-46244

CC: (none) => luigiwalser

Comment 10 David Walser 2022-11-02 22:13:08 CET 
(In reply to David Walser from comment #9)
> SUSE has issued an advisory on November 1:
> https://lists.suse.com/pipermail/sle-security-updates/2022-November/012787.
> html
> 
> It lists several new CVEs, including the one in the bug title:
> CVE-2018-11205 CVE-2018-13867 CVE-2018-14031
> CVE-2018-16438 CVE-2018-17439 CVE-2019-8396
> CVE-2020-10812 CVE-2021-45830 CVE-2021-45833
> CVE-2021-46242 CVE-2021-46244

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2YN32PFE2HBMH4G33IEUEV5S4QGCZ5NE/
Comment 11 David Walser 2023-03-13 22:38:26 CET 
SUSE has issued an advisory on March 9:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014012.html

CVE-2021-37501 is the latest issue.

Priority: Low => Normal

Comment 12 David GEIGER 2024-06-15 11:01:21 CEST 
Removing Mageia 8 from whiteboard due to EOL!

CC: (none) => geiger.david68210
Whiteboard: MGA8TOO => MGA9TOO

Comment 13 Chris Denice 2024-06-17 10:45:23 CEST 
Thanks for the head-up.
I'll dig back to those for mageia 10, but hdf5 is sensitive :(
Comment 14 Nicolas Salguero 2024-06-21 09:07:05 CEST 
Upstream has released version 1.14.4:
https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/

SUSE has issued an advisory on June 20:
https://lists.suse.com/pipermail/sle-security-updates/2024-June/018768.html

They list several new CVEs:
CVE-2017-17507
CVE-2024-29157
CVE-2024-29158
CVE-2024-29159
CVE-2024-29160
CVE-2024-29161
CVE-2024-29162
CVE-2024-29163
CVE-2024-29164
CVE-2024-29165
CVE-2024-29166
CVE-2024-32605
CVE-2024-32606
CVE-2024-32607
CVE-2024-32608
CVE-2024-32609
CVE-2024-32610
CVE-2024-32611
CVE-2024-32612
CVE-2024-32613
CVE-2024-32614
CVE-2024-32615
CVE-2024-32616
CVE-2024-32617
CVE-2024-32618
CVE-2024-32619
CVE-2024-32620
CVE-2024-32621
CVE-2024-32622
CVE-2024-32623
CVE-2024-32624
CVE-2024-33873
CVE-2024-33874
CVE-2024-33875
CVE-2024-33876
CVE-2024-33877

Status comment: Possibly fixed in 1.10.8 => Fixed upstream in 1.14.4
Source RPM: hdf5-1.10.7-3.mga8.src.rpm => hdf5-1.12.2-6.mga10.src.rpm
CC: (none) => nicolas.salguero