From 7a28a99698e93938b1b19bc5649153d587408499bfa98ef7425222eee0cbc118 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Wed, 4 May 2022 11:39:11 +0000 Subject: [PATCH 1/2] Accepting request 974893 from home:eeich:branches:science - Security Fix: Add configure option --disable-hltools to disable GIF tools as recommended in the 1.10.8 release: CVE-2018-17433 (bsc#1109565), CVE-2018-17436 (bsc#1109568), CVE-2020-10809 (bsc#1167404). * Fixed CVE-2018-17432 (bsc#1109564) parsing (bsc#1167401) * Fixed CVE-2018-14460 (bsc#1102175) * Fixed CVE-2018-11206 (bsc#1093657) (same issue as CVE-2018-14032 (bsc#1101474)) * Fixed CVE-2018-14033 (bsc#1101471) (same issue as CVE-2020-10811 (bsc#1167405)) H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 (bsc#1109570) * CVE-2018-17437: Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c. (bsc#1109569) * CVE-2018-17237: A SIGFPE signal is raised in the function H5D__chunk_set_info_real (bsc#1109168) (commit 4e31361d). OBS-URL: https://build.opensuse.org/request/show/974893 OBS-URL: https://build.opensuse.org/package/show/science/hdf5?expand=0&rev=150 --- hdf5.changes | 31 +++++++++++++++++++++++-------- hdf5.spec | 3 ++- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/hdf5.changes b/hdf5.changes index 1f70bb9..b35a06a 100644 --- a/hdf5.changes +++ b/hdf5.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed May 4 06:39:53 UTC 2022 - Egbert Eich + +- Security Fix: + Add configure option --disable-hltools to disable GIF tools as + recommended in the 1.10.8 release: + CVE-2018-17433 (bsc#1109565), + CVE-2018-17436 (bsc#1109568), + CVE-2020-10809 (bsc#1167404). + ------------------------------------------------------------------- Thu Apr 7 23:51:05 UTC 2022 - Christoph Junghans @@ -58,14 +68,16 @@ Wed Feb 16 11:18:17 UTC 2022 - Atri Bhattacharya * h5repack added help text for user-defined filters. * Doxygen documentation is available when configured and generated. - * Fixed CVE-2018-17432 + * Fixed CVE-2018-17432 (bsc#1109564) * Fixed a segmentation fault * Detection of simple data transform function "x" * Fixed CVE-2020-10810 - an invalid read and memory leak when - parsing - * Fixed CVE-2018-14460 - * Fixed CVE-2018-11206 - * Fixed CVE-2018-14033 (same issue as CVE-2020-10811) + parsing (bsc#1167401) + * Fixed CVE-2018-14460 (bsc#1102175) + * Fixed CVE-2018-11206 (bsc#1093657) + (same issue as CVE-2018-14032 (bsc#1101474)) + * Fixed CVE-2018-14033 (bsc#1101471) + (same issue as CVE-2020-10811 (bsc#1167405)) * Remove underscores on header file guards * H5FArray.java class: - Convert the entire byte array into a 1-d array of the @@ -201,7 +213,8 @@ Fri Nov 6 10:41:02 UTC 2020 - Ana Guerrero Lopez * CVE-2018-13869: memcpy parameter overlap in the function H5O_link_decode in H5Olink.c (bsc#1101495) * CVE-2018-17438: A SIGFPE signal is raised in the function - H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 + H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 + (bsc#1109570) library during an attempted parse of a crafted HDF file, because of incorrect protection against division (bsc#1109570) @@ -289,8 +302,10 @@ Fri Aug 23 09:58:01 UTC 2019 - Ana Guerrero Lopez H5D__create_chunk_file_map_hyper. (bsc#1109166) * CVE-2018-17434: Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c (bsc#1109167) - * CVE-2018-17437: A SIGFPE signal is raised in the function - H5D__chunk_set_info_real. (bsc#1109168) + * CVE-2018-17437: Memory leak in the H5O_dtype_decode_helper() function + in H5Odtype.c. (bsc#1109569) + * CVE-2018-17237: A SIGFPE signal is raised in the function + H5D__chunk_set_info_real (bsc#1109168) (commit 4e31361d). - Bump fortran library soname, sonum_F from 100 to 102. - Adjust library installation path, use %hpc_prefix/lib64 in x86_64 and %hpc_libdir in all other cases diff --git a/hdf5.spec b/hdf5.spec index 5e99004..399f3ea 100644 --- a/hdf5.spec +++ b/hdf5.spec @@ -438,7 +438,7 @@ Patch7: hdf5-mpi.patch Patch8: Disable-phdf5-tests.patch # boo#1179521, boo#1196682, gh#HDFGroup/hdf5#1494 Patch9: hdf5-1.10.8-pr1494-fix-release-check-version.patch -# Imported from Fedora, strip flags from h5cc wrapper +# Imported from Fedora, strip flags from h5cc wrapper Patch10: hdf5-wrappers.patch BuildRequires: fdupes %if 0%{?use_sz2} @@ -760,6 +760,7 @@ export MPICXX=mpicxx %hpc_configure \ %define hpc_exec_prefix %{expand:%_hpc_exec_prefix} %endif # ?hpc + --disable-hltools \ --disable-dependency-tracking \ --enable-fortran \ --enable-unsupported \ From de571884c0e0ca8bd8fd32b770e910a1299be9b1b9d73b90ba47cc78a65f7cf3 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Thu, 5 May 2022 08:07:45 +0000 Subject: [PATCH 2/2] Accepting request 975081 from home:eeich:branches:science * CVE-2018-17234: Memory leak in the H5O__chunk_deserialize() * CVE-2018-17434: A SIGFPE signal is raised in function apply_filters() of h5repack_filters.c (bsc#1109566) OBS-URL: https://build.opensuse.org/request/show/975081 OBS-URL: https://build.opensuse.org/package/show/science/hdf5?expand=0&rev=151 --- hdf5.changes | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hdf5.changes b/hdf5.changes index b35a06a..184c883 100644 --- a/hdf5.changes +++ b/hdf5.changes @@ -300,8 +300,10 @@ Fri Aug 23 09:58:01 UTC 2019 - Ana Guerrero Lopez - Security bugs fixed: * CVE-2018-17233: A SIGFPE signal is raised in the function H5D__create_chunk_file_map_hyper. (bsc#1109166) - * CVE-2018-17434: Memory leak in the H5O__chunk_deserialize() + * CVE-2018-17234: Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c (bsc#1109167) + * CVE-2018-17434: A SIGFPE signal is raised in function apply_filters() + of h5repack_filters.c (bsc#1109566) * CVE-2018-17437: Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c. (bsc#1109569) * CVE-2018-17237: A SIGFPE signal is raised in the function