Source: hdf5
Version: 1.14.5+repack-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for hdf5.

CVE-2025-2310[0]:
| A vulnerability was found in HDF5 1.14.6 and classified as critical.
| This issue affects the function H5MM_strndup of the component
| Metadata Attribute Decoder. The manipulation leads to heap-based
| buffer overflow. Attacking locally is a requirement. The exploit has
| been disclosed to the public and may be used. The real existence of
| this vulnerability is still doubted at the moment. The vendor was
| contacted early about a batch of vulnerabilities. His response was
| "reject" without further explanation. We have not received an
| elaboration even after asking politely for further details.
| Currently we assume that the vendor wants to "dispute" the entries
| which is why they are flagged as such until further details become
| available.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-2310
    https://www.cve.org/CVERecord?id=CVE-2025-2310

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to