2 files changed, 88 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch
new file mode 100644
index 0000000000..cf8687f010
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch
@@ -0,0 +1,87 @@
+From 7159488b73fb429a78f79763f7b3775a3c160fad Mon Sep 17 00:00:00 2001
+From: bmribler <39579120+bmribler@users.noreply.github.com>
+Date: Fri, 26 Sep 2025 11:46:50 -0400
+Subject: [PATCH] Fixes CVE-2025-6750 (#5856)
+* Fixes CVE-2025-6750
+A heap buffer overflow occurred because an mtime message was not properly decoded, resulting in a buffer of size 0 being passed into the encoder.
+This PR added decoding for both old and new mtime messages which will allow invalid message size to be detected.
+Fixes #5549
+CVE: CVE-2025-6750
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/H5Ocache.c | 41 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 6 deletions(-)
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
+index 12c30cf..e6095a7 100644
+--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
+@@ -1265,6 +1265,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+         if (mesg_size != H5O_ALIGN_OH(oh, mesg_size))
+             HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned");
+ 
+        if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end))
+            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end");
+
+         /* Message flags */
+         if (H5_IS_BUFFER_OVERFLOW(chunk_image, 1, p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
+@@ -1297,12 +1300,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+             }
+         }
+ 
+-        /* Try to detect invalidly formatted object header message that
+-         *  extends past end of chunk.
+-         */
+-        if (chunk_image + mesg_size > eom_ptr)
+-            HGOTO_ERROR(H5E_OHDR, H5E_CANTINIT, FAIL, "corrupt object header");
+-
+         /* Increment count of null messages */
+         if (H5O_NULL_ID == id)
+             nullcnt++;
+@@ -1449,6 +1446,38 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+                     HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount");
+                 oh->nlink = *refcount;
+             }
+            /* Check if message is an old mtime message */
+            else if (H5O_MTIME_ID == id) {
+                time_t *mtime = NULL;
+
+                /* Decode mtime message */
+                mtime =
+                    (time_t *)(H5O_MSG_MTIME->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
+
+                /* Save the decoded old format mtime */
+                if (!mtime)
+                    HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode old format mtime");
+
+                /* Save 'native' form of mtime message and its value */
+                mesg->native = mtime;
+                oh->ctime    = *mtime;
+            }
+            /* Check if message is an new mtime message */
+            else if (H5O_MTIME_NEW_ID == id) {
+                time_t *mtime = NULL;
+
+                /* Decode mtime message */
+                mtime = (time_t *)(H5O_MSG_MTIME_NEW->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size,
+                                                              mesg->raw);
+
+                /* Save the decoded new format mtime */
+                if (!mtime)
+                    HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode new format mtime");
+
+                /* Save 'native' form of mtime message and its value */
+                mesg->native = mtime;
+                oh->ctime    = *mtime;
+            }
+             /* Check if message is a link message */
+             else if (H5O_LINK_ID == id) {
+                 /* Increment the count of link messages */
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
index 3ff96d7301..7d75f0e7dc 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
           file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \
           file://0001-Fix-CVE-2025-2924-5814.patch \
           file://0001-Fix-CVE-2025-2925-5739.patch \
+           file://0001-Fixes-CVE-2025-6750-5856.patch \
           "
 SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"

diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch new file mode 100644 index 0000000000..cf8687f010 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch
@@ -0,0 +1,87 @@
		1	From 7159488b73fb429a78f79763f7b3775a3c160fad Mon Sep 17 00:00:00 2001
		2	From: bmribler <39579120+bmribler@users.noreply.github.com>
		3	Date: Fri, 26 Sep 2025 11:46:50 -0400
		4	Subject: [PATCH] Fixes CVE-2025-6750 (#5856)
		5
		6	* Fixes CVE-2025-6750
		7
		8	A heap buffer overflow occurred because an mtime message was not properly decoded, resulting in a buffer of size 0 being passed into the encoder.
		9
		10	This PR added decoding for both old and new mtime messages which will allow invalid message size to be detected.
		11
		12	Fixes #5549
		13
		14	CVE: CVE-2025-6750
		15	Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54]
		16
		17	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		18	---
		19	src/H5Ocache.c \| 41 +++++++++++++++++++++++++++++++++++------
		20	1 file changed, 35 insertions(+), 6 deletions(-)
		21
		22	diff --git a/src/H5Ocache.c b/src/H5Ocache.c
		23	index 12c30cf..e6095a7 100644
		24	--- a/src/H5Ocache.c
		25	+++ b/src/H5Ocache.c
		26	@@ -1265,6 +1265,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
		27	if (mesg_size != H5O_ALIGN_OH(oh, mesg_size))
		28	HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned");
		29
		30	+ if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end))
		31	+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end");
		32	+
		33	/* Message flags */
		34	if (H5_IS_BUFFER_OVERFLOW(chunk_image, 1, p_end))
		35	HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
		36	@@ -1297,12 +1300,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
		37	}
		38	}
		39
		40	- /* Try to detect invalidly formatted object header message that
		41	- * extends past end of chunk.
		42	- */
		43	- if (chunk_image + mesg_size > eom_ptr)
		44	- HGOTO_ERROR(H5E_OHDR, H5E_CANTINIT, FAIL, "corrupt object header");
		45	-
		46	/* Increment count of null messages */
		47	if (H5O_NULL_ID == id)
		48	nullcnt++;
		49	@@ -1449,6 +1446,38 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
		50	HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount");
		51	oh->nlink = *refcount;
		52	}
		53	+ /* Check if message is an old mtime message */
		54	+ else if (H5O_MTIME_ID == id) {
		55	+ time_t *mtime = NULL;
		56	+
		57	+ /* Decode mtime message */
		58	+ mtime =
		59	+ (time_t *)(H5O_MSG_MTIME->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
		60	+
		61	+ /* Save the decoded old format mtime */
		62	+ if (!mtime)
		63	+ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode old format mtime");
		64	+
		65	+ /* Save 'native' form of mtime message and its value */
		66	+ mesg->native = mtime;
		67	+ oh->ctime = *mtime;
		68	+ }
		69	+ /* Check if message is an new mtime message */
		70	+ else if (H5O_MTIME_NEW_ID == id) {
		71	+ time_t *mtime = NULL;
		72	+
		73	+ /* Decode mtime message */
		74	+ mtime = (time_t *)(H5O_MSG_MTIME_NEW->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size,
		75	+ mesg->raw);
		76	+
		77	+ /* Save the decoded new format mtime */
		78	+ if (!mtime)
		79	+ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode new format mtime");
		80	+
		81	+ /* Save 'native' form of mtime message and its value */
		82	+ mesg->native = mtime;
		83	+ oh->ctime = *mtime;
		84	+ }
		85	/* Check if message is a link message */
		86	else if (H5O_LINK_ID == id) {
		87	/* Increment the count of link messages */


diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 3ff96d7301..7d75f0e7dc 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
19	file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \	19	file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \
20	file://0001-Fix-CVE-2025-2924-5814.patch \	20	file://0001-Fix-CVE-2025-2924-5814.patch \
21	file://0001-Fix-CVE-2025-2925-5739.patch \	21	file://0001-Fix-CVE-2025-2925-5739.patch \
		22	file://0001-Fixes-CVE-2025-6750-5856.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"	24	SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"
24		25