Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package hdf5 for openSUSE:Factory checked in at 2023-02-17 16:44:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hdf5 (Old) and /work/SRC/openSUSE:Factory/.hdf5.new.22824 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hdf5" Fri Feb 17 16:44:17 2023 rev:81 rq:1066251 version:1.12.2 Changes: -------- --- /work/SRC/openSUSE:Factory/hdf5/hdf5.changes 2022-11-16 15:43:38.603892655 +0100 +++ /work/SRC/openSUSE:Factory/.hdf5.new.22824/hdf5.changes 2023-02-17 16:44:27.886680087 +0100 @@ -1,0 +2,10 @@ +Mon Feb 13 09:18:05 UTC 2023 - Egbert Eich <e...@suse.com> + +- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus + input file (bsc#1207973). + https://github.com/HDFGroup/hdf5/issues/2458 + https://github.com/HDFGroup/hdf5/pull/2459 + Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch + Remove-duplicate-code.patch + +------------------------------------------------------------------- New: ---- Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hdf5.spec ++++++ --- /var/tmp/diff_new_pack.mRMx4q/_old 2023-02-17 16:44:30.546695067 +0100 +++ /var/tmp/diff_new_pack.mRMx4q/_new 2023-02-17 16:44:30.622695495 +0100 @@ -1,7 +1,7 @@ # -# spec file for package hdf5 +# spec file # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -450,6 +450,8 @@ Patch109: Hot-fix-for-CVE-2020-10812.patch Patch110: Compound-datatypes-may-not-have-members-of-size-0.patch Patch111: H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch +Patch112: Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch +Patch113: Remove-duplicate-code.patch BuildRequires: fdupes %if 0%{?use_sz2} @@ -704,6 +706,8 @@ %patch109 -p1 %patch110 -p1 %patch111 -p1 +%patch112 -p1 +%patch113 -p1 %if %{without hpc} # baselibs looks different for different flavors - generate it on the fly ++++++ Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch ++++++ From: Egbert Eich <e...@suse.com> Date: Sat Feb 11 13:54:17 2023 +0100 Subject: Check for overflow when calculating on-disk attribute data size (#2459) Patch-mainline: Not yet Git-repo: https://github.com/HDFGroup/hdf5 Git-commit: 0d026daa13a81be72495872f651c036fdc84ae5e References: A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication does not overflow. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug #2458. Signed-off-by: Egbert Eich <e...@suse.com> Signed-off-by: Egbert Eich <e...@suse.de> --- src/H5Oattr.c | 3 +++ src/H5private.h | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/H5Oattr.c b/src/H5Oattr.c index 4dee7aa187..3ef0b99aa4 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -235,6 +235,9 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un /* Compute the size of the data */ H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t); + H5_CHECK_MUL_OVERFLOW(attr->shared->data_size, ds_size, dt_size, + HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, + "data size exceeds addressable range")) /* Go get the data */ if (attr->shared->data_size) { diff --git a/src/H5private.h b/src/H5private.h index 931d7b9046..a115aee1a4 100644 --- a/src/H5private.h +++ b/src/H5private.h @@ -1605,6 +1605,24 @@ H5_DLL int HDvasprintf(char **bufp, const char *fmt, va_list _ap); #define H5_CHECK_OVERFLOW(var, vartype, casttype) #endif /* NDEBUG */ +/* + * A macro for checking whether a multiplication has overflown + * r is assumed to be the result of a prior multiplication of a and b + */ +#define H5_CHECK_MUL_OVERFLOW(r, a, b, err) \ + { \ + bool mul_overflow = false; \ + if (r != 0) { \ + if (r / a != b) \ + mul_overflow = true; \ + } else { \ + if (a != 0 && b != 0) \ + mul_overflow = true; \ + } \ + if (mul_overflow) \ + err \ + } + /* * A macro for detecting over/under-flow when assigning between types */ ++++++ Remove-duplicate-code.patch ++++++ From: Egbert Eich <e...@suse.com> Date: Sat Feb 11 18:08:15 2023 +0100 Subject: Remove duplicate code Patch-mainline: Not yet Git-repo: https://github.com/HDFGroup/hdf5 Git-commit: 539bca81e2b5713b1c6c5723d742377fb92c1ac1 References: Signed-off-by: Egbert Eich <e...@suse.com> Signed-off-by: Egbert Eich <e...@suse.de> --- src/H5Oattr.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/H5Oattr.c b/src/H5Oattr.c index 3ef0b99aa4..19d3abfb4c 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -222,10 +222,6 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un else p += attr->shared->ds_size; - /* Get the datatype's size */ - if (0 == (dt_size = H5T_get_size(attr->shared->dt))) - HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") - /* Get the datatype & dataspace sizes */ if (0 == (dt_size = H5T_get_size(attr->shared->dt))) HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
