summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorLibo Chen <libo.chen.cn@windriver.com>2026-04-10 15:05:02 +0800
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-15 14:12:18 +0530
commitc96f578f10812ea0be4bace170d62f1a116dc0fc (patch)
tree73a7cd1c5b55cd423454a25b276645c5a08eb5a2 /meta-oe
parent43572581cf07864489f7f89c6d29e68bffc76c0b (diff)
downloadmeta-openembedded-c96f578f10812ea0be4bace170d62f1a116dc0fc.tar.gz
hdf5: fix CVE-2025-2310
According to [1], A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-2310 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310 [2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch37
-rw-r--r--meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb1
2 files changed, 38 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch
new file mode 100644
index 0000000000..8ac74737d8
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch
@@ -0,0 +1,37 @@
1From 89a4466d72f688f4da6521e82a466c183ebe1d08 Mon Sep 17 00:00:00 2001
2From: Libo Chen <libo.chen.cn@windriver.com>
3Date: Fri, 30 Jan 2026 14:05:54 +0800
4Subject: [PATCH] Fix CVE-2025-2310
5
6Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read.
7
8Check that name length is not too small in addition to checking for an overflow directly.
9
10CVE: CVE-2025-2310
11
12Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4]
13
14Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
15---
16 src/H5Oattr.c | 5 +++++
17 1 file changed, 5 insertions(+)
18
19diff --git a/src/H5Oattr.c b/src/H5Oattr.c
20index 6d1d237..7b7ebb0 100644
21--- a/src/H5Oattr.c
22+++ b/src/H5Oattr.c
23@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
24 if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
25 HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
26 UINT16DECODE(p, name_len); /* Including null */
27+
28+ /* Verify that retrieved name length (including null byte) is valid */
29+ if (name_len <= 1)
30+ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid");
31+
32 if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
33 HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
34 UINT16DECODE(p, attr->shared->dt_size);
35--
362.34.1
37
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 09793b3d74..b1cab21e0f 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
25 file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch \ 25 file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch \
26 file://CVE-2025-2926.patch \ 26 file://CVE-2025-2926.patch \
27 file://CVE-2025-2153.patch \ 27 file://CVE-2025-2153.patch \
28 file://CVE-2025-2310.patch \
28" 29"
29SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" 30SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
30 31