Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data.
URL: (none) => http://www.linuxsecurity.com/content/view/169988/170/
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Version: 5 => CauldronAssignee: bugsquad => pkg-bugsSource RPM: (none) => hdf5Whiteboard: (none) => MGA5TOO
Debian has issued an advisory on November 30: https://www.debian.org/security/2016/dsa-3727 More information at the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301
URL: http://www.linuxsecurity.com/content/view/169988/170/ => https://lwn.net/Vulnerabilities/707696/CC: (none) => luigiwalserSummary: hdf5 security vulnerability CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333 => hdf5 new security issues CVE-2016-433[0-3]Source RPM: hdf5 => hdf5-1.8.15-2.mga6.src.rpm
Updated package has been uploaded for cauldron.
CC: (none) => mramboVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
Patched package uploaded for Mageia 5. Advisory: ======================== Updated hdf5 package fixes security vulnerability: In the HDF5 1.8.16 library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution (CVE-2016-4330). When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution (CVE-2016-4331). The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library (CVE-2016-4332). The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it (CVE-2016-4333). References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301 https://security-tracker.debian.org/tracker/CVE-2016-4330 https://security-tracker.debian.org/tracker/CVE-2016-4331 https://security-tracker.debian.org/tracker/CVE-2016-4332 https://security-tracker.debian.org/tracker/CVE-2016-4333 ======================== Updated packages in core/updates_testing: ======================== hdf5-1.8.13-4.1.mga5 hdf5-debuginfo-1.8.13-4.1.mga5 lib64hdf5_8-1.8.13-4.1.mga5 lib64hdf5-devel-1.8.13-4.1.mga5 lib64hdf5_hl8-1.8.13-4.1.mga5 from hdf5-1.8.13-4.1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
Tackling this for x86_64. It involves following a tutorial so may take some time. What else does one do on Christmas Day?
CC: (none) => tarazed25
Created attachment 8817 [details] Notes from a web tutorial on the HDF container format. This is a personal narrative based on following the HDF tutorial online. For QA a quick look at the tutorial should be sufficient to acquire an elementary grasp of the subject, sufficient to demonstrate that HDF is working at the C level. There are also Java, Fortran and C++ interfaces.
The copious examples in the tutorial show how to create datasets but development of PoCs for the CVEs cited requires a more intimate understanding of the binary coding of the outputs. I tried blindly corrupting the heap section of a simple dataset using emacs and as expected produced a file for which h5dump raised an error. So, having successfully exercised the example files for the 1_8 branch of the hdf5-examples I shall run the updates and perform the same tests. That is about all we can do.
MGA-32 on AcerD620 Xfce No installation issues. Limited test to first one in webtutorial $ h5cc -o makesample h5_crtdat.c In file included from /usr/include/H5public.h:37:0, from /usr/include/hdf5.h:24, from h5_crtdat.c:21: /usr/include/features.h:148:3: let op: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp] # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" ^ $ ./makesample $ ls -l -rw-r--r-- 1 tester5 tester5 1400 dec 26 15:07 dset.h5 -rw-r--r-- 1 tester5 tester5 2080 dec 26 15:00 h5_crtdat.c -rw-r--r-- 1 tester5 tester5 6008 dec 26 15:07 h5_crtdat.o -rwxr-xr-x 1 tester5 tester5 7591428 dec 26 15:07 makesample* $ h5dump dset.h5 HDF5 "dset.h5" { GROUP "/" { DATASET "dset" { DATATYPE H5T_STD_I32BE DATASPACE SIMPLE { ( 4, 6 ) / ( 4, 6 ) } DATA { (0,0): 0, 0, 0, 0, 0, 0, (1,0): 0, 0, 0, 0, 0, 0, (2,0): 0, 0, 0, 0, 0, 0, (3,0): 0, 0, 0, 0, 0, 0 } } } } $ od -a dset.h5 0000000 ht H D F cr nl sub nl nul nul nul nul nul bs bs nul 0000020 eot nul dle nul nul nul nul nul nul nul nul nul nul nul nul nul 0000040 del del del del del del del del x enq nul nul nul nul nul nul 0000060 del del del del del del del del nul nul nul nul nul nul nul nul 0000100 ` nul nul nul nul nul nul nul soh nul nul nul nul nul nul nul 0000120 bs nul nul nul nul nul nul nul ( stx nul nul nul nul nul nul 0000140 soh nul soh nul soh nul nul nul can nul nul nul nul nul nul nul and a lot more, seems working OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Forgot to mention, the hdf5-debuginfo-1.8.13-4.1.mga5 was not there in the repos.
Yes, I looked all over for it. Not available.
ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/5/i586/media/debug/core/updates_testing/hdf5-debuginfo-1.8.13-4.1.mga5.i586.rpm
CC: (none) => jim
https://wiki.mageia.org/en/Debugging_software_crashes#Preliminaries Note that the "debug" repo's and packages are now called "debuginfo"
(In reply to James Kerr from comment #12) > https://wiki.mageia.org/en/Debugging_software_crashes#Preliminaries > > Note that the "debug" repo's and packages are now called "debuginfo" Sorry - only the packages are called "debuginfo" the repo's are still just "debug"
Thanks James. x86_64 $ rm -rf hdf5-examples $ tar xf hdf5-examples.tar Updated the packages, excluding hdf5-debuginfo. From ./hdf5-examples/ $ ./configure HSEX_18=1 $ make $ cd 1_6/C/H5D $ ./h5ex_d_alloc Creating datasets... DS1 has allocation time H5D_ALLOC_TIME_LATE DS2 has allocation time H5D_ALLOC_TIME_EARLY Space for DS1 has not been allocated. Storage size for DS1 is: 0 bytes. Space for DS2 has been allocated. Storage size for DS2 is: 112 bytes. Writing data... Space for DS1 has been allocated. Storage size for DS1 is: 112 bytes. Space for DS2 has been allocated. Storage size for DS2 is: 112 bytes. $ h5dump h5ex_d_alloc.h5 HDF5 "h5ex_d_alloc.h5" { GROUP "/" { DATASET "DS1" { DATATYPE H5T_STD_I32LE DATASPACE SIMPLE { ( 4, 7 ) / ( 4, 7 ) } DATA { (0,0): 0, -1, -2, -3, -4, -5, -6, (1,0): 0, 0, 0, 0, 0, 0, 0, (2,0): 0, 1, 2, 3, 4, 5, 6, (3,0): 0, 2, 4, 6, 8, 10, 12 } } DATASET "DS2" { DATATYPE H5T_STD_I32LE DATASPACE SIMPLE { ( 4, 7 ) / ( 4, 7 ) } DATA { (0,0): 0, -1, -2, -3, -4, -5, -6, (1,0): 0, 0, 0, 0, 0, 0, 0, (2,0): 0, 1, 2, 3, 4, 5, 6, (3,0): 0, 2, 4, 6, 8, 10, 12 } } } } This output agrees with the result posted in h5ex_d_alloc.test. $ ./h5ex_d_checksum Filter type is: H5Z_FILTER_FLETCHER32 Maximum value in DS1 is: 1890 $ h5dump h5ex_d_checksum.h5 shows that the last value in the dataset is 1890 and is the largest. $ ./h5ex_d_compact Storage layout for DS1 is: H5D_COMPACT DS1: [ 0 -1 -2 -3 -4 -5 -6] [ 0 0 0 0 0 0 0] [ 0 1 2 3 4 5 6] [ 0 2 4 6 8 10 12] $ h5dump h5ex_d_compact.h5 HDF5 "h5ex_d_compact.h5" { GROUP "/" { DATASET "DS1" { DATATYPE H5T_STD_I32LE DATASPACE SIMPLE { ( 4, 7 ) / ( 4, 7 ) } DATA { (0,0): 0, -1, -2, -3, -4, -5, -6, (1,0): 0, 0, 0, 0, 0, 0, 0, (2,0): 0, 1, 2, 3, 4, 5, 6, (3,0): 0, 2, 4, 6, 8, 10, 12 } } } } Ran several more of these tests and the h5dump output data always agreed with what was expected, registered in the corresponding *.test file.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Advisory from Comment 4; validated.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0425.html
Status: NEW => RESOLVEDResolution: (none) => FIXED