diff --git a/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch b/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch new file mode 100644 index 0000000000..ffaade2503 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch @@ -0,0 +1,67 @@ +From 951ebdce0098dac1042d5e9650e655c6c1f92904 Mon Sep 17 00:00:00 2001 +From: jhendersonHDF +Date: Fri, 26 Sep 2025 13:13:10 -0500 +Subject: [PATCH] CVE-2025-2923 + +Fix issue with handling of corrupted object header continuation messages (#5829) + +An HDF5 file could be specifically constructed such that an object +header contained a corrupted continuation message which pointed +back to itself. This eventually resulted in an internal buffer being +allocated with too small of a size, leading to a heap buffer overflow +when encoding an object header message into it. This has been fixed +by checking the expected number of deserialized object header chunks +against the actual value as chunks are being deserialized. + +Fixes CVE-2025-6816, CVE-2025-6856, CVE-2025-2923 + +CVE: CVE-2025-2923 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675] + +(cherry picked from commit 29c847a43db0cdc85b01cafa5a7613ea73932675) +Signed-off-by: Ankur Tyagi +--- + src/H5Oint.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/H5Oint.c b/src/H5Oint.c +index 022ee43..a5e0072 100644 +--- a/src/H5Oint.c ++++ b/src/H5Oint.c +@@ -1013,10 +1013,9 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks) + */ + curr_msg = 0; + while (curr_msg < cont_msg_info.nmsgs) { +- H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */ +-#ifndef NDEBUG +- size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */ +-#endif /* NDEBUG */ ++ H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */ ++ unsigned chunkno; /* Chunk number for chunk proxy */ ++ size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */ + + /* Bring the chunk into the cache */ + /* (which adds to the object header) */ +@@ -1029,14 +1028,20 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks) + + /* Sanity check */ + assert(chk_proxy->oh == oh); +- assert(chk_proxy->chunkno == chkcnt); +- assert(oh->nchunks == (chkcnt + 1)); ++ ++ chunkno = chk_proxy->chunkno; + + /* Release the chunk from the cache */ + if (H5AC_unprotect(loc->file, H5AC_OHDR_CHK, cont_msg_info.msgs[curr_msg].addr, chk_proxy, + H5AC__NO_FLAGS_SET) < 0) + HGOTO_ERROR(H5E_OHDR, H5E_CANTUNPROTECT, NULL, "unable to release object header chunk"); + ++ if (chunkno != chkcnt) ++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "incorrect chunk number for object header chunk"); ++ if (oh->nchunks != (chkcnt + 1)) ++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, ++ "incorrect number of chunks after deserializing object header chunk"); ++ + /* Advance to next continuation message */ + curr_msg++; + } /* end while */ diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index f34e5f183d..4305826b22 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -15,6 +15,7 @@ SRC_URI = " \ https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \ file://0002-Remove-suffix-shared-from-shared-library-name.patch \ file://0001-cmake-remove-build-flags.patch \ + file://0001-CVE-2025-2923.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"