Hi Tobias, The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here: https://support.hdfgroup.org/HDF5/release/obtain518.html
For the issues fixed, please see the RELEASE.txt file: https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are: CVE-2016-4330: HDF5 bug HDFFV-9992 (TALOS-2016-176) CVE-2016-4331: HDF5 bug HDFFV-9951 (TALOS-2016-177) CVE-2016-4332: HDF5 bug HDFFV-9950 (TALOS-2016-178) CVE-2016-4333: HDF5 bug HDFFV-9993 (TALOS-2016-179)) The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017. -Barbara -----Original Message----- From: Hdf-forum [mailto:[email protected]] On Behalf Of Tobias Richter Sent: Thursday, December 01, 2016 2:48 AM To: HDF Users Discussion List Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333 Hi, Apparently a number of security relevant problems have been found in the HDF5 library and have been publicised a couple of weeks ago: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333 I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page. Best wishes, Tobias _______________________________________________ Hdf-forum is for HDF software users discussion. [email protected] http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org Twitter: https://twitter.com/hdf5 _______________________________________________ Hdf-forum is for HDF software users discussion. [email protected] http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org Twitter: https://twitter.com/hdf5
