hdf5: fix CVE-2025-2309

According to [1], A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor plans to fix this issue in an upcoming release. Backport patch [2] from upstream to fix CVE-2025-2309 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2309 [2] https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Libo Chen <libo.chen.cn@windriver.com> 2026-04-10 15:05:04 +0800
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15 14:12:18 +0530
commit: 6f240eceb0fe8ae357a4e5560bb7fb6dcae0e197 (patch)
tree: 92e1a4e9c50391440abac0166d7dd2def0e55e76
parent: 69fcb4d4b1bbd991f12185ef11dfe81561375887 (diff)
download: meta-openembedded-6f240eceb0fe8ae357a4e5560bb7fb6dcae0e197.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch
new file mode 100644
index 0000000000..d14cb2589f
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch
@@ -0,0 +1,41 @@
+From 6b24925c5fae3e2d7f47e9e7c879816673a48cd5 Mon Sep 17 00:00:00 2001
+From: Libo Chen <libo.chen.cn@windriver.com>
+Date: Fri, 30 Jan 2026 15:04:26 +0800
+Subject: [PATCH] Fix CVE-2025-2309
+A malformed file can trigger bit field type conversions that can (due to missing boundary checks in the conversion step) cause a heap buffer overflow. This PR adds a check on the defined conversion to ensure it does not read beyond the size of a single bit field element. Thus, H5T__bit_copy does not result in a buffer overflow. There are several other calls to H5T__bit_copy which might be subject to a similar issue.
+This PR fixes CVE-2025-2309.
+CVE: CVE-2025-2309
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1]
+Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
+---
+ src/H5Odtype.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/src/H5Odtype.c b/src/H5Odtype.c
+index 24671b0..085ce24 100644
+--- a/src/H5Odtype.c
+++ b/src/H5Odtype.c
+@@ -307,6 +307,15 @@ H5O__dtype_decode_helper(unsigned *ioflags /*in,out*/, const uint8_t **pp, H5T_t
+                 HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
+             UINT16DECODE(*pp, dt->shared->u.atomic.offset);
+             UINT16DECODE(*pp, dt->shared->u.atomic.prec);
+
+            /* Sanity checks */
+            if (dt->shared->u.atomic.offset >= (dt->shared->size * 8))
+                HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "bitfield offset out of bounds");
+            if (0 == dt->shared->u.atomic.prec)
+                HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "bitfield precision is zero");
+            if (((dt->shared->u.atomic.offset + dt->shared->u.atomic.prec) - 1) >= (dt->shared->size * 8))
+                HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "bitfield offset+precision out of bounds");
+
+             break;
+ 
+         case H5T_OPAQUE: {
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 5a834bd4e3..ca1e8d7076 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -27,6 +27,7 @@ SRC_URI = " \
    file://CVE-2025-2153.patch \
    file://CVE-2025-2310.patch \
    file://CVE-2025-44905.patch \
+    file://CVE-2025-2309.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
author	Libo Chen <libo.chen.cn@windriver.com>	2026-04-10 15:05:04 +0800
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-04-15 14:12:18 +0530
commit	6f240eceb0fe8ae357a4e5560bb7fb6dcae0e197 (patch)
tree	92e1a4e9c50391440abac0166d7dd2def0e55e76
parent	69fcb4d4b1bbd991f12185ef11dfe81561375887 (diff)
download	meta-openembedded-6f240eceb0fe8ae357a4e5560bb7fb6dcae0e197.tar.gz

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch new file mode 100644 index 0000000000..d14cb2589f --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch
@@ -0,0 +1,41 @@
		1	From 6b24925c5fae3e2d7f47e9e7c879816673a48cd5 Mon Sep 17 00:00:00 2001
		2	From: Libo Chen <libo.chen.cn@windriver.com>
		3	Date: Fri, 30 Jan 2026 15:04:26 +0800
		4	Subject: [PATCH] Fix CVE-2025-2309
		5
		6	A malformed file can trigger bit field type conversions that can (due to missing boundary checks in the conversion step) cause a heap buffer overflow. This PR adds a check on the defined conversion to ensure it does not read beyond the size of a single bit field element. Thus, H5T__bit_copy does not result in a buffer overflow. There are several other calls to H5T__bit_copy which might be subject to a similar issue.
		7
		8	This PR fixes CVE-2025-2309.
		9
		10	CVE: CVE-2025-2309
		11
		12	Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1]
		13
		14	Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
		15	---
		16	src/H5Odtype.c \| 9 +++++++++
		17	1 file changed, 9 insertions(+)
		18
		19	diff --git a/src/H5Odtype.c b/src/H5Odtype.c
		20	index 24671b0..085ce24 100644
		21	--- a/src/H5Odtype.c
		22	+++ b/src/H5Odtype.c
		23	@@ -307,6 +307,15 @@ H5O__dtype_decode_helper(unsigned ioflags /in,out/, const uint8_t *pp, H5T_t
		24	HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
		25	UINT16DECODE(*pp, dt->shared->u.atomic.offset);
		26	UINT16DECODE(*pp, dt->shared->u.atomic.prec);
		27	+
		28	+ /* Sanity checks */
		29	+ if (dt->shared->u.atomic.offset >= (dt->shared->size * 8))
		30	+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "bitfield offset out of bounds");
		31	+ if (0 == dt->shared->u.atomic.prec)
		32	+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "bitfield precision is zero");
		33	+ if (((dt->shared->u.atomic.offset + dt->shared->u.atomic.prec) - 1) >= (dt->shared->size * 8))
		34	+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "bitfield offset+precision out of bounds");
		35	+
		36	break;
		37
		38	case H5T_OPAQUE: {
		39	--
		40	2.34.1
		41


diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 5a834bd4e3..ca1e8d7076 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -27,6 +27,7 @@ SRC_URI = " \
27	file://CVE-2025-2153.patch \	27	file://CVE-2025-2153.patch \
28	file://CVE-2025-2310.patch \	28	file://CVE-2025-2310.patch \
29	file://CVE-2025-44905.patch \	29	file://CVE-2025-44905.patch \
		30	file://CVE-2025-2309.patch \
30	"	31	"
31	SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"	32	SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
32		33