diff mbox series

[meta-oe,Scarthgap] hdf5 1.14.4-3: fix CVE-2025-2912

Message ID 20251209050003.192253-1-sudumbha@cisco.com
State Under Review
Delegated to: Anuj Mittal
Headers show
Series [meta-oe,Scarthgap] hdf5 1.14.4-3: fix CVE-2025-2912 | expand

Commit Message

Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) Dec. 9, 2025, 4:59 a.m. UTC 
From: Sudhir Dumbhare <sudumbha@cisco.com>

Upstream Repository: https://github.com/HDFGroup/hdf5.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2912
Type: Security Fix
CVE: CVE-2025-2912
Score: 4.8
Patch: https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a

Analysis:
- CVE-2025-2913 was previously fixed by [1], which is also addresses CVE-2025-2912
  as noted in [4].
- NVD [2] references the GitHub discussion [3] for CVE-2025-2912, and we successfully
  reproduced the issue following the steps outlined there.
- Applied the fix from [4] and verified resolution using the reproduction steps.
- The same patch [4] is already included in OE-scarthgap [5] for CVE-2025-2913.
- Therefore, reused the patch from [5] to resolve CVE-2025-2912.

References:
[1] https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-2912
[3] https://github.com/HDFGroup/hdf5/issues/5370#issue-2917388806
[4] https://github.com/HDFGroup/hdf5/issues/5370#issuecomment-3542881855
[5] https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-support/hdf5?h=scarthgap&id=b42e6eb3e51a

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
 .../{CVE-2025-2913.patch => CVE-2025-2913-CVE-2025-2912.patch} | 3 ++-
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb                  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
 rename meta-oe/recipes-support/hdf5/files/{CVE-2025-2913.patch => CVE-2025-2913-CVE-2025-2912.patch} (94%)
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch
similarity index 94%
rename from meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch
rename to meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch
index e1614bee9b..47c887597a 100644
--- a/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch
@@ -9,10 +9,11 @@  one of the free lists.  It appeared that the library came to this vulnerability
 after it encountered an undetected reading of a bad value.  The fuzzer now failed
 with an appropriate error message.
 
-CVE: CVE-2025-2913
+CVE: CVE-2025-2913 CVE-2025-2912
 Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a09c892bc97ac32d9515c3777ce07]
 (cherry picked from commit 7cc8b5e1010a09c892bc97ac32d9515c3777ce07)
 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
 ---
  src/H5Ocont.c | 2 ++
  1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 8a37323536..e8432f0d6b 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -15,7 +15,7 @@  SRC_URI = " \
     https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \
     file://0002-Remove-suffix-shared-from-shared-library-name.patch \
     file://0001-cmake-remove-build-flags.patch \
-    file://CVE-2025-2913.patch \
+    file://CVE-2025-2913-CVE-2025-2912.patch \
     file://CVE-2025-2914.patch \
     file://CVE-2025-2915.patch \
     file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \