2 files changed, 42 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch
new file mode 100644
index 0000000000..f15a7f9644
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch
@@ -0,0 +1,41 @@
+From 7cc3c76f681fb4ca739457950352654aecd647a9 Mon Sep 17 00:00:00 2001
+From: Matt L <124107509+mattjala@users.noreply.github.com>
+Date: Thu, 9 Oct 2025 16:10:23 -0500
+Subject: [PATCH] Fix CVE-2025-2310 (#5872)
+Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read.
+Check that name length is not too small in addition to checking for an overflow directly.
+CVE: CVE-2025-2310
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/H5Oattr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index 6d1d237..2f8c259 100644
+--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
+@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
+     if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, name_len); /* Including null */
+
+    /* Verify that retrieved name length (including null byte) is valid */
+    if (name_len <= 1)
+        HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid");
+
+     if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, attr->shared->dt_size);
+@@ -190,6 +195,7 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
+      */
+     if (H5_IS_BUFFER_OVERFLOW(p, name_len, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+
+     if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1)))
+         HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed");
+ 
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
index 345598c8f2..52727cfae3 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
           file://0002-Remove-suffix-shared-from-shared-library-name.patch \
           file://0001-cmake-remove-build-flags.patch \
           file://0001-Fix-CVE-2025-2153-5795.patch \
+           file://0001-Fix-CVE-2025-2310-5872.patch \
           "
 SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"

diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch new file mode 100644 index 0000000000..f15a7f9644 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch
@@ -0,0 +1,41 @@
		1	From 7cc3c76f681fb4ca739457950352654aecd647a9 Mon Sep 17 00:00:00 2001
		2	From: Matt L <124107509+mattjala@users.noreply.github.com>
		3	Date: Thu, 9 Oct 2025 16:10:23 -0500
		4	Subject: [PATCH] Fix CVE-2025-2310 (#5872)
		5
		6	Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read.
		7
		8	Check that name length is not too small in addition to checking for an overflow directly.
		9
		10	CVE: CVE-2025-2310
		11	Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4]
		12
		13	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		14	---
		15	src/H5Oattr.c \| 6 ++++++
		16	1 file changed, 6 insertions(+)
		17
		18	diff --git a/src/H5Oattr.c b/src/H5Oattr.c
		19	index 6d1d237..2f8c259 100644
		20	--- a/src/H5Oattr.c
		21	+++ b/src/H5Oattr.c
		22	@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t f, H5O_t open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
		23	if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
		24	HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
		25	UINT16DECODE(p, name_len); /* Including null */
		26	+
		27	+ /* Verify that retrieved name length (including null byte) is valid */
		28	+ if (name_len <= 1)
		29	+ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid");
		30	+
		31	if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
		32	HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
		33	UINT16DECODE(p, attr->shared->dt_size);
		34	@@ -190,6 +195,7 @@ H5O__attr_decode(H5F_t f, H5O_t open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
		35	*/
		36	if (H5_IS_BUFFER_OVERFLOW(p, name_len, p_end))
		37	HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
		38	+
		39	if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1)))
		40	HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed");
		41


diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 345598c8f2..52727cfae3 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
15	file://0002-Remove-suffix-shared-from-shared-library-name.patch \	15	file://0002-Remove-suffix-shared-from-shared-library-name.patch \
16	file://0001-cmake-remove-build-flags.patch \	16	file://0001-cmake-remove-build-flags.patch \
17	file://0001-Fix-CVE-2025-2153-5795.patch \	17	file://0001-Fix-CVE-2025-2153-5795.patch \
		18	file://0001-Fix-CVE-2025-2310-5872.patch \
18	"	19	"
19	SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"	20	SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"
20		21