Your message dated Tue, 02 Jul 2024 21:49:36 +0000
with message-id <[email protected]>
and subject line Bug#1070861: fixed in hdf5 1.14.4.3+repack-1~exp2
has caused the Debian Bug report #1070861,
regarding hdf5: CVE-2024-33877 CVE-2024-33876 CVE-2024-33875 CVE-2024-33874
CVE-2024-33873 CVE-2024-32624 CVE-2024-32623 CVE-2024-32622 CVE-2024-32621
CVE-2024-32620 CVE-2024-32619 CVE-2024-32618 CVE-2024-32617 CVE-2024-32616
CVE-2024-32615 CVE-2024-32614 CVE-2024-32613 CVE-2024-32612 CVE-2024-32611
CVE-2024-32610 CVE-2024-32609 CVE-2024-32608 CVE-2024-32607 CVE-2024-32606
CVE-2024-32605 CVE-2024-29166 CVE-2024-29165 CVE-2024-29164 CVE-2024-29163
CVE-2024-29162 CVE-2024-29161 CVE-2024-29160 CVE-2024-29159 CVE-2024-29158
CVE-2024-29157
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1070861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070861
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: hdf5
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for hdf5:
https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/
CVE-2024-33877[0]:
| HDF5 Library through 1.14.3 has a heap-based buffer overflow in
| H5T__conv_struct_opt in H5Tconv.c.
CVE-2024-33876[1]:
| HDF5 Library through 1.14.3 has a heap buffer overflow in
| H5S__point_deserialize in H5Spoint.c.
CVE-2024-33875[2]:
| HDF5 Library through 1.14.3 has a heap-based buffer overflow in
| H5O__layout_encode in H5Olayout.c, resulting in the corruption of
| the instruction pointer.
CVE-2024-33874[3]:
| HDF5 Library through 1.14.3 has a heap buffer overflow in
| H5O__mtime_new_encode in H5Omtime.c.
CVE-2024-33873[4]:
| HDF5 Library through 1.14.3 has a heap-based buffer overflow in
| H5D__scatter_mem in H5Dscatgath.c.
CVE-2024-32624[5]:
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in
| H5Tconv.c), resulting in the corruption of the instruction pointer.
CVE-2024-32623[6]:
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5VM_array_fill in H5VM.c (called from H5S_select_elements in
| H5Spoint.c).
CVE-2024-32622[7]:
| HDF5 Library through 1.14.3 contains a out-of-bounds read operation
| in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in
| H5S.c).
CVE-2024-32621[8]:
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5HG_read in H5HG.c (called from H5VL__native_blob_get in
| H5VLnative_blob.c), resulting in the corruption of the instruction
| pointer.
CVE-2024-32620[9]:
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of
| the instruction pointer.
CVE-2024-32619[10]:
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5T_copy_reopen in H5T.c, resulting in the corruption of the
| instruction pointer.
CVE-2024-32618[11]:
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5T__get_native_type in H5Tnative.c, resulting in the corruption of
| the instruction pointer.
CVE-2024-32617[12]:
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called
| from H5G__ent_to_link in H5Glink.c).
CVE-2024-32616[13]:
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in H5O__dtype_encode_helper in H5Odtype.c.
CVE-2024-32615[14]:
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier
| use of an initialized pointer.
CVE-2024-32614[15]:
| HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c.
CVE-2024-32613[16]:
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in the function H5HL__fl_deserialize in H5HLcache.c, a different
| vulnerability than CVE-2024-32612.
CVE-2024-32612[17]:
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption
| of the instruction pointer, a different vulnerability than
| CVE-2024-32613.
CVE-2024-32611[18]:
| HDF5 Library through 1.14.3 may use an uninitialized value in
| H5A__attr_release_table in H5Aint.c.
CVE-2024-32610[19]:
| HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c,
| resulting in a corrupted instruction pointer.
CVE-2024-32609[20]:
| HDF5 Library through 1.14.3 allows stack consumption in the function
| H5E_printf_stack in H5Eint.c.
CVE-2024-32607[21]:
| HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c,
| resulting in the corruption of the instruction pointer.
CVE-2024-32606[22]:
| HDF5 Library through 1.14.3 may attempt to dereference uninitialized
| values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from
| h5tools_dump_simple_data in tools/lib/h5tools_dump.c).
CVE-2024-32605[23]:
| HDF5 Library through 1.14.3 has a heap-based buffer over-read in
| H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in
| H5Dcompact.c).
CVE-2024-29166[24]:
| HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode,
| resulting in the corruption of the instruction pointer and causing
| denial of service or potential code execution.
CVE-2024-29165[25]:
| HDF5 through 1.14.3 contains a buffer overflow in
| H5Z__filter_fletcher32, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.
CVE-2024-29164[26]:
| HDF5 through 1.14.3 contains a stack buffer overflow in
| H5R__decode_heap, resulting in the corruption of the instruction
| pointer and causing denial of service or potential code execution.
CVE-2024-29163[27]:
| HDF5 through 1.14.3 contains a heap buffer overflow in
| H5T__bit_find, resulting in the corruption of the instruction
| pointer and causing denial of service or potential code execution.
CVE-2024-29162[28]:
| HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow
| in H5HG_read, resulting in denial of service or potential code
| execution.
CVE-2024-29161[29]:
| HDF5 through 1.14.3 contains a heap buffer overflow in
| H5A__attr_release_table, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.
CVE-2024-29160[30]:
| HDF5 through 1.14.3 contains a heap buffer overflow in
| H5HG__cache_heap_deserialize, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.
CVE-2024-29159[31]:
| HDF5 through 1.14.3 contains a buffer overflow in
| H5Z__filter_scaleoffset, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.
CVE-2024-29158[32]:
| HDF5 through 1.14.3 contains a stack buffer overflow in
| H5FL_arr_malloc, resulting in the corruption of the instruction
| pointer and causing denial of service or potential code execution.
CVE-2024-29157[33]:
| HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read,
| resulting in the corruption of the instruction pointer and causing
| denial of service or potential code execution.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-33877
https://www.cve.org/CVERecord?id=CVE-2024-33877
[1] https://security-tracker.debian.org/tracker/CVE-2024-33876
https://www.cve.org/CVERecord?id=CVE-2024-33876
[2] https://security-tracker.debian.org/tracker/CVE-2024-33875
https://www.cve.org/CVERecord?id=CVE-2024-33875
[3] https://security-tracker.debian.org/tracker/CVE-2024-33874
https://www.cve.org/CVERecord?id=CVE-2024-33874
[4] https://security-tracker.debian.org/tracker/CVE-2024-33873
https://www.cve.org/CVERecord?id=CVE-2024-33873
[5] https://security-tracker.debian.org/tracker/CVE-2024-32624
https://www.cve.org/CVERecord?id=CVE-2024-32624
[6] https://security-tracker.debian.org/tracker/CVE-2024-32623
https://www.cve.org/CVERecord?id=CVE-2024-32623
[7] https://security-tracker.debian.org/tracker/CVE-2024-32622
https://www.cve.org/CVERecord?id=CVE-2024-32622
[8] https://security-tracker.debian.org/tracker/CVE-2024-32621
https://www.cve.org/CVERecord?id=CVE-2024-32621
[9] https://security-tracker.debian.org/tracker/CVE-2024-32620
https://www.cve.org/CVERecord?id=CVE-2024-32620
[10] https://security-tracker.debian.org/tracker/CVE-2024-32619
https://www.cve.org/CVERecord?id=CVE-2024-32619
[11] https://security-tracker.debian.org/tracker/CVE-2024-32618
https://www.cve.org/CVERecord?id=CVE-2024-32618
[12] https://security-tracker.debian.org/tracker/CVE-2024-32617
https://www.cve.org/CVERecord?id=CVE-2024-32617
[13] https://security-tracker.debian.org/tracker/CVE-2024-32616
https://www.cve.org/CVERecord?id=CVE-2024-32616
[14] https://security-tracker.debian.org/tracker/CVE-2024-32615
https://www.cve.org/CVERecord?id=CVE-2024-32615
[15] https://security-tracker.debian.org/tracker/CVE-2024-32614
https://www.cve.org/CVERecord?id=CVE-2024-32614
[16] https://security-tracker.debian.org/tracker/CVE-2024-32613
https://www.cve.org/CVERecord?id=CVE-2024-32613
[17] https://security-tracker.debian.org/tracker/CVE-2024-32612
https://www.cve.org/CVERecord?id=CVE-2024-32612
[18] https://security-tracker.debian.org/tracker/CVE-2024-32611
https://www.cve.org/CVERecord?id=CVE-2024-32611
[19] https://security-tracker.debian.org/tracker/CVE-2024-32610
https://www.cve.org/CVERecord?id=CVE-2024-32610
[20] https://security-tracker.debian.org/tracker/CVE-2024-32609
https://www.cve.org/CVERecord?id=CVE-2024-32609
[21] https://security-tracker.debian.org/tracker/CVE-2024-32607
https://www.cve.org/CVERecord?id=CVE-2024-32607
[22] https://security-tracker.debian.org/tracker/CVE-2024-32606
https://www.cve.org/CVERecord?id=CVE-2024-32606
[23] https://security-tracker.debian.org/tracker/CVE-2024-32605
https://www.cve.org/CVERecord?id=CVE-2024-32605
[24] https://security-tracker.debian.org/tracker/CVE-2024-29166
https://www.cve.org/CVERecord?id=CVE-2024-29166
[25] https://security-tracker.debian.org/tracker/CVE-2024-29165
https://www.cve.org/CVERecord?id=CVE-2024-29165
[26] https://security-tracker.debian.org/tracker/CVE-2024-29164
https://www.cve.org/CVERecord?id=CVE-2024-29164
[27] https://security-tracker.debian.org/tracker/CVE-2024-29163
https://www.cve.org/CVERecord?id=CVE-2024-29163
[28] https://security-tracker.debian.org/tracker/CVE-2024-29162
https://www.cve.org/CVERecord?id=CVE-2024-29162
[29] https://security-tracker.debian.org/tracker/CVE-2024-29161
https://www.cve.org/CVERecord?id=CVE-2024-29161
[30] https://security-tracker.debian.org/tracker/CVE-2024-29160
https://www.cve.org/CVERecord?id=CVE-2024-29160
[31] https://security-tracker.debian.org/tracker/CVE-2024-29159
https://www.cve.org/CVERecord?id=CVE-2024-29159
[32] https://security-tracker.debian.org/tracker/CVE-2024-29158
https://www.cve.org/CVERecord?id=CVE-2024-29158
[33] https://security-tracker.debian.org/tracker/CVE-2024-29157
https://www.cve.org/CVERecord?id=CVE-2024-29157
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: hdf5
Source-Version: 1.14.4.3+repack-1~exp2
Done: Gilles Filippini <[email protected]>
We believe that the bug you reported is fixed in the latest version of
hdf5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gilles Filippini <[email protected]> (supplier of updated hdf5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jul 2024 22:50:43 +0200
Source: hdf5
Architecture: source
Version: 1.14.4.3+repack-1~exp2
Distribution: experimental
Urgency: medium
Maintainer: Gilles Filippini <[email protected]>
Changed-By: Gilles Filippini <[email protected]>
Closes: 1070861
Changes:
hdf5 (1.14.4.3+repack-1~exp2) experimental; urgency=medium
.
* New upstream release
* Fixed CVE-2024-33877 CVE-2024-33876 CVE-2024-33875 CVE-2024-33874
CVE-2024-33873 CVE-2024-32624 CVE-2024-32623 CVE-2024-32622
CVE-2024-32621 CVE-2024-32620 CVE-2024-32619 CVE-2024-32618
CVE-2024-32617 CVE-2024-32616 CVE-2024-32615 CVE-2024-32614
CVE-2024-32613 CVE-2024-32612 CVE-2024-32611 CVE-2024-32610
CVE-2024-32609 CVE-2024-32607 CVE-2024-32606 CVE-2024-32605
CVE-2024-29166 CVE-2024-29165 CVE-2024-29164 CVE-2024-29163
CVE-2024-29162 CVE-2024-29161 CVE-2024-29160 CVE-2024-29159
CVE-2024-29158 CVE-2024-29157 (closes: #1070861)
* h5fuse.sh renamed as h5fuse
* Docs: no more html folder
* d/copyright: acknowledge new HDF5Examples/COPYING file
* d/rules: fix libversion for patch level
* Update symbols files
Checksums-Sha1:
ba6cd51bb614011382568c17cc1319af55b2072f 3716 hdf5_1.14.4.3+repack-1~exp2.dsc
9b5ae9ce84d90374b0d3aa043d5e7f32039f8418 36796376
hdf5_1.14.4.3+repack.orig.tar.gz
dc50c3669e1711da11a2a591ea575c38c2da051f 161288
hdf5_1.14.4.3+repack-1~exp2.debian.tar.xz
9c35ae89b2240fd67c14ae642880a0ddbad2639a 28699
hdf5_1.14.4.3+repack-1~exp2_amd64.buildinfo
Checksums-Sha256:
09f0d1faf3456c0508ca85cbe1dd28abfe3bb297d7e93b3de45e1e809f1d9299 3716
hdf5_1.14.4.3+repack-1~exp2.dsc
7789d6f7fac89e50ae136ce98b24a7b3350bab42e0233b7a7b83e9fd57915030 36796376
hdf5_1.14.4.3+repack.orig.tar.gz
170b92a0185c48875d0beaabc3ce3e89be4cf153f2c6e8d9a0ae102ff1b8dd29 161288
hdf5_1.14.4.3+repack-1~exp2.debian.tar.xz
344cb5a8b17aaa1352973815617869bdb9859842578d39bacfc93de71e051bc8 28699
hdf5_1.14.4.3+repack-1~exp2_amd64.buildinfo
Files:
5f36e428e26f38d357f06f8f312da1b9 3716 science optional
hdf5_1.14.4.3+repack-1~exp2.dsc
1c8607fc38d48b124fd9677835b0fa6d 36796376 science optional
hdf5_1.14.4.3+repack.orig.tar.gz
19546fdd7e58bdf8317d3e3c1e594bbc 161288 science optional
hdf5_1.14.4.3+repack-1~exp2.debian.tar.xz
7ba36a8a1f54a2dbc2e693ef06682a01 28699 science optional
hdf5_1.14.4.3+repack-1~exp2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCgAuFiEEoJObzArDE05WtIyR7+hsbH/+z4MFAmaEcgMQHHBpbmlAZGVi
aWFuLm9yZwAKCRDv6Gxsf/7Pg87/CACSALRkZfDKm2Eo4aFhq/BAK3kYf3wOzkDx
KMdFIxIPrPjJMVIDhrgSHjtepjBzBb9qCkoxIVsjuQnxeRkfJPVOu9KeAslFVDHk
QPED1McAeN8dlP0YkcWOQklnYt35zhBfabSSRmeVj8xPORBqRnVsq3o4IY0RSUDQ
6I9z+z/Tw5p5KwJmJ179tq0gxjKHHx5R5A8tAtBe4Tu9s4zfdGPttDLGhFl9iZfb
mQVnOj/nkG9ZqHcaUX4+liJDNZ56u2PYgQAz8+iQfRj09VuxghVk+d1Q7TTXLA+Y
1ZBeEQNGhZz4Kzr4JDqD9IItXZMVxRLrdONdN8Zo9ya0DXe8hqqj
=aYDd
-----END PGP SIGNATURE-----
pgpmOSOELqvNS.pgp
Description: PGP signature
--- End Message ---
