hdf5 1.14.4-3: fix CVE-2025-2912

Upstream Repository: https://github.com/HDFGroup/hdf5.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2912 Type: Security Fix CVE: CVE-2025-2912 Score: 4.8 Patch: https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a Analysis: - CVE-2025-2913 was previously fixed by [1], which is also addresses CVE-2025-2912 as noted in [4]. - NVD [2] references the GitHub discussion [3] for CVE-2025-2912, and we successfully reproduced the issue following the steps outlined there. - Applied the fix from [4] and verified resolution using the reproduction steps. - The same patch [4] is already included in OE-scarthgap [5] for CVE-2025-2913. - Therefore, reused the patch from [5] to resolve CVE-2025-2912. References: [1] https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a [2] https://nvd.nist.gov/vuln/detail/CVE-2025-2912 [3] https://github.com/HDFGroup/hdf5/issues/5370#issue-2917388806 [4] https://github.com/HDFGroup/hdf5/issues/5370#issuecomment-3542881855 [5] https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-support/hdf5?h=scarthgap&id=b42e6eb3e51a Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Sudhir Dumbhare <sudumbha@cisco.com> 2025-12-08 20:59:14 -0800
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2025-12-11 08:00:53 +0530
commit: e0dbf0bcd38f886ed4c720cdf520d6b04534fee0 (patch)
tree: 21357d11ddc3111cf51ce0b555fea754d50f146d
parent: c223262bd7e275a8518a3524e51ff616cad70aab (diff)
download: meta-openembedded-e0dbf0bcd38f886ed4c720cdf520d6b04534fee0.tar.gz
2 files changed, 3 insertions, 2 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch
index e1614bee9b..47c887597a 100644
--- a/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch
@@ -9,10 +9,11 @@ one of the free lists.  It appeared that the library came to this vulnerability
 after it encountered an undetected reading of a bad value.  The fuzzer now failed
 with an appropriate error message.
-CVE: CVE-2025-2913
+CVE: CVE-2025-2913 CVE-2025-2912
 Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a09c892bc97ac32d9515c3777ce07]
 (cherry picked from commit 7cc8b5e1010a09c892bc97ac32d9515c3777ce07)
 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
 ---
 src/H5Ocont.c | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 8a37323536..e8432f0d6b 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -15,7 +15,7 @@ SRC_URI = " \
    https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \
    file://0002-Remove-suffix-shared-from-shared-library-name.patch \
    file://0001-cmake-remove-build-flags.patch \
-    file://CVE-2025-2913.patch \
+    file://CVE-2025-2913-CVE-2025-2912.patch \
    file://CVE-2025-2914.patch \
    file://CVE-2025-2915.patch \
    file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \
author	Sudhir Dumbhare <sudumbha@cisco.com>	2025-12-08 20:59:14 -0800
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-11 08:00:53 +0530
commit	e0dbf0bcd38f886ed4c720cdf520d6b04534fee0 (patch)
tree	21357d11ddc3111cf51ce0b555fea754d50f146d
parent	c223262bd7e275a8518a3524e51ff616cad70aab (diff)
download	meta-openembedded-e0dbf0bcd38f886ed4c720cdf520d6b04534fee0.tar.gz