diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-10-14 16:55:24 +0200 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2025-10-14 09:00:26 -0700 |
| commit | a66568152a0d3031dd76055d3113679019e56b96 (patch) | |
| tree | bbe31fad138a010b3457a3acab4c5ef6c4125617 | |
| parent | 32bbc37d2a1603b2426d74742f150a2c90dc51e6 (diff) | |
| download | meta-openembedded-a66568152a0d3031dd76055d3113679019e56b96.tar.gz | |
hdf5: patch CVE-2025-2153
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2153
Pick the patch that resolved the issue from the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
| -rw-r--r-- | meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch | 47 | ||||
| -rw-r--r-- | meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 10 |
2 files changed, 52 insertions, 5 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch new file mode 100644 index 0000000000..4b31718dea --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From 183c8aeb601a02a38dd6815bcb651a7317b1b647 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Glenn Song <43005495+glennsong09@users.noreply.github.com> | ||
| 3 | Date: Thu, 9 Oct 2025 07:51:49 -0500 | ||
| 4 | Subject: [PATCH] Fix CVE-2025-2153 (#5795) | ||
| 5 | |||
| 6 | This PR fixes #5329. Previously, the message flags field was able to be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t could be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they indicate they can be shared. | ||
| 7 | |||
| 8 | The bug was first reproduced using the fuzzer and the POC file from #5329. With this change, the heap based buffer overflow no longer occurs. | ||
| 9 | |||
| 10 | CVE: CVE-2025-2153 | ||
| 11 | Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0] | ||
| 12 | |||
| 13 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 14 | --- | ||
| 15 | src/H5Ocache.c | 4 ++-- | ||
| 16 | src/H5Omessage.c | 3 +++ | ||
| 17 | 2 files changed, 5 insertions(+), 2 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/src/H5Ocache.c b/src/H5Ocache.c | ||
| 20 | index 87f321c..12c30cf 100644 | ||
| 21 | --- a/src/H5Ocache.c | ||
| 22 | +++ b/src/H5Ocache.c | ||
| 23 | @@ -1399,8 +1399,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t | ||
| 24 | else { | ||
| 25 | /* Check for message of unshareable class marked as "shareable" | ||
| 26 | */ | ||
| 27 | - if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] && | ||
| 28 | - !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) | ||
| 29 | + if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) && | ||
| 30 | + H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) | ||
| 31 | HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, | ||
| 32 | "message of unshareable class flagged as shareable"); | ||
| 33 | |||
| 34 | diff --git a/src/H5Omessage.c b/src/H5Omessage.c | ||
| 35 | index 7190e46..fb9006c 100644 | ||
| 36 | --- a/src/H5Omessage.c | ||
| 37 | +++ b/src/H5Omessage.c | ||
| 38 | @@ -354,6 +354,9 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m | ||
| 39 | */ | ||
| 40 | assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); | ||
| 41 | |||
| 42 | + /* Sanity check to see if the type is not sharable */ | ||
| 43 | + assert(type->share_flags & H5O_SHARE_IS_SHARABLE); | ||
| 44 | + | ||
| 45 | /* Remove the old message from the SOHM index */ | ||
| 46 | /* (It would be more efficient to try to share the message first, then | ||
| 47 | * delete it (avoiding thrashing the index in the case the ref. | ||
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 974007a3e9..345598c8f2 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | |||
| @@ -11,11 +11,11 @@ inherit cmake siteinfo qemu multilib_header multilib_script | |||
| 11 | 11 | ||
| 12 | DEPENDS += "qemu-native zlib" | 12 | DEPENDS += "qemu-native zlib" |
| 13 | 13 | ||
| 14 | SRC_URI = " \ | 14 | SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${BPN}-${PV}.tar.gz \ |
| 15 | https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${BPN}-${PV}.tar.gz \ | 15 | file://0002-Remove-suffix-shared-from-shared-library-name.patch \ |
| 16 | file://0002-Remove-suffix-shared-from-shared-library-name.patch \ | 16 | file://0001-cmake-remove-build-flags.patch \ |
| 17 | file://0001-cmake-remove-build-flags.patch \ | 17 | file://0001-Fix-CVE-2025-2153-5795.patch \ |
| 18 | " | 18 | " |
| 19 | SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b" | 19 | SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b" |
| 20 | 20 | ||
| 21 | FILES:${PN} += "${libdir}/libhdf5.settings ${datadir}/*" | 21 | FILES:${PN} += "${libdir}/libhdf5.settings ${datadir}/*" |