new file mode 100644
@@ -0,0 +1,87 @@
+From 7159488b73fb429a78f79763f7b3775a3c160fad Mon Sep 17 00:00:00 2001
+From: bmribler <39579120+bmribler@users.noreply.github.com>
+Date: Fri, 26 Sep 2025 11:46:50 -0400
+Subject: [PATCH] Fixes CVE-2025-6750 (#5856)
+
+* Fixes CVE-2025-6750
+
+A heap buffer overflow occurred because an mtime message was not properly decoded, resulting in a buffer of size 0 being passed into the encoder.
+
+This PR added decoding for both old and new mtime messages which will allow invalid message size to be detected.
+
+Fixes #5549
+
+CVE: CVE-2025-6750
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/H5Ocache.c | 41 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
+index 12c30cf..e6095a7 100644
+--- a/src/H5Ocache.c
++++ b/src/H5Ocache.c
+@@ -1265,6 +1265,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+ if (mesg_size != H5O_ALIGN_OH(oh, mesg_size))
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned");
+
++ if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end))
++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end");
++
+ /* Message flags */
+ if (H5_IS_BUFFER_OVERFLOW(chunk_image, 1, p_end))
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
+@@ -1297,12 +1300,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+ }
+ }
+
+- /* Try to detect invalidly formatted object header message that
+- * extends past end of chunk.
+- */
+- if (chunk_image + mesg_size > eom_ptr)
+- HGOTO_ERROR(H5E_OHDR, H5E_CANTINIT, FAIL, "corrupt object header");
+-
+ /* Increment count of null messages */
+ if (H5O_NULL_ID == id)
+ nullcnt++;
+@@ -1449,6 +1446,38 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount");
+ oh->nlink = *refcount;
+ }
++ /* Check if message is an old mtime message */
++ else if (H5O_MTIME_ID == id) {
++ time_t *mtime = NULL;
++
++ /* Decode mtime message */
++ mtime =
++ (time_t *)(H5O_MSG_MTIME->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
++
++ /* Save the decoded old format mtime */
++ if (!mtime)
++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode old format mtime");
++
++ /* Save 'native' form of mtime message and its value */
++ mesg->native = mtime;
++ oh->ctime = *mtime;
++ }
++ /* Check if message is an new mtime message */
++ else if (H5O_MTIME_NEW_ID == id) {
++ time_t *mtime = NULL;
++
++ /* Decode mtime message */
++ mtime = (time_t *)(H5O_MSG_MTIME_NEW->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size,
++ mesg->raw);
++
++ /* Save the decoded new format mtime */
++ if (!mtime)
++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode new format mtime");
++
++ /* Save 'native' form of mtime message and its value */
++ mesg->native = mtime;
++ oh->ctime = *mtime;
++ }
+ /* Check if message is a link message */
+ else if (H5O_LINK_ID == id) {
+ /* Increment the count of link messages */
@@ -19,6 +19,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \
file://0001-Fix-CVE-2025-2924-5814.patch \
file://0001-Fix-CVE-2025-2925-5739.patch \
+ file://0001-Fixes-CVE-2025-6750-5856.patch \
"
SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-6750 Pick the patch that is marked to resolve the issue linked in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../files/0001-Fixes-CVE-2025-6750-5856.patch | 87 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch