[meta-oe,scarthgap,v2,v2,03/18] hdf5: patch CVE-2025-2923

Message ID	20251014233233.304125-4-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.215.175, mailfrom: ankur.tyagi85@gmail.com) From: Ankur Tyagi <ankur.tyagi85@gmail.com> To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>, Gyorgy Sarvari <skandigraun@gmail.com> Subject: [oe][meta-oe][scarthgap][PATCH v2 v2 03/18] hdf5: patch CVE-2025-2923 Date: Wed, 15 Oct 2025 12:32:14 +1300 Message-ID: <20251014233233.304125-4-ankur.tyagi85@gmail.com> In-Reply-To: <20251014233233.304125-1-ankur.tyagi85@gmail.com> References: <20251014233233.304125-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	patch CVE \| expand [meta-oe,scarthgap,v2,v2,00/18] patch CVE [meta-oe,scarthgap,v2,v2,01/18] dash: set CVE_PRODUCT [meta-oe,scarthgap,v2,v2,02/18] libppd: patch CVE-2024-47175 [meta-oe,scarthgap,v2,v2,03/18] hdf5: patch CVE-2025-2923 [meta-oe,scarthgap,v2,v2,04/18] hdf5: patch CVE-2025-2924 [meta-oe,scarthgap,v2,v2,05/18] hdf5: patch CVE-2025-2925 [meta-oe,scarthgap,v2,v2,06/18] hdf5: patch CVE-2025-6269 [meta-oe,scarthgap,v2,v2,07/18] libcupsfilters: patch CVE-2024-47076 [meta-oe,scarthgap,v2,v2,08/18] libraw: patch CVE-2025-43961 CVE-2025-43962 [meta-oe,scarthgap,v2,v2,09/18] libraw: patch CVE-2025-43963 [meta-oe,scarthgap,v2,v2,10/18] libraw: patch CVE-2025-43964 [meta-oe,scarthgap,v2,v2,11/18] zlog: fix CVE-2024-22857 [meta-oe,scarthgap,v2,v2,12/18] exiv2: patch CVE-2025-26623 [meta-oe,scarthgap,v2,v2,13/18] exiv2: patch CVE-2025-54080 [meta-oe,scarthgap,v2,v2,14/18] exiv2: patch CVE-2025-55304 [meta-oe,scarthgap,v2,v2,15/18] gattlib: mark CVE-2019-6498 as fixed [meta-oe,scarthgap,v2,v2,16/18] influxdb: Do not remove non-existing files [meta-oe,scarthgap,v2,v2,17/18] influxdb: Update CVE status for CVE-2019-10329 [meta-oe,scarthgap,v2,v2,18/18] jasper: upgrade to 4.1.2 release

Message ID

20251014233233.304125-4-ankur.tyagi85@gmail.com

State

New

Headers

From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>,
	Gyorgy Sarvari <skandigraun@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH v2 v2 03/18] hdf5: patch CVE-2025-2923
Date: Wed, 15 Oct 2025 12:32:14 +1300
Message-ID: <20251014233233.304125-4-ankur.tyagi85@gmail.com>
In-Reply-To: <20251014233233.304125-1-ankur.tyagi85@gmail.com>
References: <20251014233233.304125-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

patch CVE | expand

Commit Message

Ankur Tyagi Oct. 14, 2025, 11:32 p.m. UTC

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2923

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 01238545d8f0ac9aabc271538d0ca5ccd9f3d9f4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/0001-CVE-2025-2923.patch       | 67 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch

diff --git a/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch b/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch
new file mode 100644
index 0000000000..ffaade2503
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch
@@ -0,0 +1,67 @@ 
+From 951ebdce0098dac1042d5e9650e655c6c1f92904 Mon Sep 17 00:00:00 2001
+From: jhendersonHDF <jhenderson@hdfgroup.org>
+Date: Fri, 26 Sep 2025 13:13:10 -0500
+Subject: [PATCH] CVE-2025-2923
+
+Fix issue with handling of corrupted object header continuation messages (#5829)
+
+An HDF5 file could be specifically constructed such that an object
+header contained a corrupted continuation message which pointed
+back to itself. This eventually resulted in an internal buffer being
+allocated with too small of a size, leading to a heap buffer overflow
+when encoding an object header message into it. This has been fixed
+by checking the expected number of deserialized object header chunks
+against the actual value as chunks are being deserialized.
+
+Fixes CVE-2025-6816, CVE-2025-6856, CVE-2025-2923
+
+CVE: CVE-2025-2923
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675]
+
+(cherry picked from commit 29c847a43db0cdc85b01cafa5a7613ea73932675)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Oint.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/H5Oint.c b/src/H5Oint.c
+index 022ee43..a5e0072 100644
+--- a/src/H5Oint.c
++++ b/src/H5Oint.c
+@@ -1013,10 +1013,9 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks)
+          */
+         curr_msg = 0;
+         while (curr_msg < cont_msg_info.nmsgs) {
+-            H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */
+-#ifndef NDEBUG
+-            size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */
+-#endif                                   /* NDEBUG */
++            H5O_chunk_proxy_t *chk_proxy;            /* Proxy for chunk, to bring it into memory */
++            unsigned           chunkno;              /* Chunk number for chunk proxy */
++            size_t             chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */
+ 
+             /* Bring the chunk into the cache */
+             /* (which adds to the object header) */
+@@ -1029,14 +1028,20 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks)
+ 
+             /* Sanity check */
+             assert(chk_proxy->oh == oh);
+-            assert(chk_proxy->chunkno == chkcnt);
+-            assert(oh->nchunks == (chkcnt + 1));
++
++            chunkno = chk_proxy->chunkno;
+ 
+             /* Release the chunk from the cache */
+             if (H5AC_unprotect(loc->file, H5AC_OHDR_CHK, cont_msg_info.msgs[curr_msg].addr, chk_proxy,
+                                H5AC__NO_FLAGS_SET) < 0)
+                 HGOTO_ERROR(H5E_OHDR, H5E_CANTUNPROTECT, NULL, "unable to release object header chunk");
+ 
++            if (chunkno != chkcnt)
++                HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "incorrect chunk number for object header chunk");
++            if (oh->nchunks != (chkcnt + 1))
++                HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL,
++                            "incorrect number of chunks after deserializing object header chunk");
++
+             /* Advance to next continuation message */
+             curr_msg++;
+         } /* end while */
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index f34e5f183d..4305826b22 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -15,6 +15,7 @@  SRC_URI = " \
     https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \
     file://0002-Remove-suffix-shared-from-shared-library-name.patch \
     file://0001-cmake-remove-build-flags.patch \
+    file://0001-CVE-2025-2923.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"

[meta-oe,scarthgap,v2,v2,03/18] hdf5: patch CVE-2025-2923

Commit Message

Patch