* Update to version 1.12.3. * Drop upstreamed patches: Remove-duplicate-code.patch, H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch, H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch, Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch, Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch, Compound-datatypes-may-not-have-members-of-size-0.patch, H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch, Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch * New BuildRequires: hostname. * Work around an sed hack in upstream configure file by dropping "-Werror=return-type" from RPM %optflags. OBS-URL: https://build.opensuse.org/request/show/1173662 OBS-URL: https://build.opensuse.org/package/show/science/hdf5?expand=0&rev=174
44 lines
2.0 KiB
Diff
44 lines
2.0 KiB
Diff
From: Egbert Eich <eich@suse.com>
|
|
Date: Wed Oct 5 09:44:02 2022 +0200
|
|
Subject: Hot fix for CVE-2020-10812
|
|
Patch-mainline: Not yet
|
|
Git-repo: ssh://eich@192.168.122.1:/home/eich/sources/HPC/hdf5
|
|
Git-commit: 2465fc41d208d57eb0d7d025286a81664148fbaf
|
|
References:
|
|
|
|
CVE-2020-10812 unveils a more fundamental design flaw in H5F__dest():
|
|
this function returns FAIL if one of multiple operations fail (in this
|
|
case H5AC_prep_for_file_close()) while it still proceeds to prepare the
|
|
close operation, free the 'shared' member in struct H5F_t and ulimately
|
|
deallocate the structure itself.
|
|
When H5F__dest() signals back FAIL to the caller, the caller itself
|
|
(H5F_try_close() in this case) will fail. This failure is signalled
|
|
up the stack, thus the file will not be considered closed and another
|
|
attempt will be made to close it - latest in the exit handler.
|
|
The next attempt to close will however need the already deallocated
|
|
H5F_t structure and the H5T_shared_t structure in its 'shared' member,
|
|
however.
|
|
This fix papers over the failure of H5AC_prep_for_file_close() by not
|
|
changing the return status of H5F__dest() to fail. There are numerous
|
|
other opportunities where this will happen.
|
|
This may call for a more fundamental solution.
|
|
|
|
Signed-off-by: Egbert Eich <eich@suse.com>
|
|
Signed-off-by: Egbert Eich <eich@suse.de>
|
|
---
|
|
src/H5Fint.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
Index: hdf5-1.12.3/src/H5Fint.c
|
|
===================================================================
|
|
--- hdf5-1.12.3.orig/src/H5Fint.c
|
|
+++ hdf5-1.12.3/src/H5Fint.c
|
|
@@ -1412,7 +1412,7 @@ H5F__dest(H5F_t *f, hbool_t flush, hbool
|
|
*/
|
|
if (H5AC_prep_for_file_close(f) < 0)
|
|
/* Push error, but keep going */
|
|
- HDONE_ERROR(H5E_FILE, H5E_CANTFLUSH, FAIL, "metadata cache prep for close failed")
|
|
+ HDONE_ERROR(H5E_FILE, H5E_CANTFLUSH, ret_value, "metadata cache prep for close failed")
|
|
|
|
/* Flush at this point since the file will be closed (phase 2).
|
|
* Only try to flush the file if it was opened with write access, and if
|