From patchwork Tue Oct 14 14:55:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72268 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1355CCD192 for ; Tue, 14 Oct 2025 14:55:40 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.web11.18808.1760453732974176881 for ; Tue, 14 Oct 2025 07:55:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TnZWCFTk; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-426ed6f4db5so552096f8f.0 for ; Tue, 14 Oct 2025 07:55:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760453731; x=1761058531; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=AmeQlha5DEZWJZaGPO9QGkvbyimrObPkcjpkRXHj4YA=; b=TnZWCFTkTgIuodH9w1IedNnsOy/bp0LhdkGclAF1oiipd/FE8BXKjb9TRiHAWAwVnV ZyIdgPJ0qbJ8jfD55OkxHEU2AqYjuf/TgA5++MvFHFKW6reaUKme394K4xgQxksLK474 FjJs9MLlVJg+xCHk9JVzc5Zd36jDDLv4lRTUO+VGsMuNwD8t6R3nPdLKZ3uizLj0MDKq e7BqI8ucjqKhqa1+HxFl4ZIGitp83SY2SkGvC+LC5QOLeCjCdO7IHQh+nlMGzzKfWhF/ FmMQATiyKABVvr0YIdwZOOHhb/FIUyL8enBPsQWj0/kpV36xCgoOODQVz4j0N+/5AkhL blhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760453731; x=1761058531; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AmeQlha5DEZWJZaGPO9QGkvbyimrObPkcjpkRXHj4YA=; b=Xrtivzh67XkHjKCzQQwTKiZzwQ2AzYXR2uWhWAOwpugDrE85V6p/eqQoCNP2O+bxtg 8e1EWT0KvrLK+oB+IDBPfWOUt2G+RE/stVbnScvol922BeEckVlYZ9wt6WdyYyWiZG99 +af2oyJoZq4zf4mbwoF/kYKa+NK+9i5aqBjo5fSECRkuN25uEhRElWGMYw3kXewBK6Hp PNcrET7iXQbBISNbG6hnqA4AmvDfqVyg8rwypB2LPjctkdsfsIla447w2ixaZAuHF+mH s56GSLHUbt0k4cs95nhbLOy1RpmrcaUT00ujG+HzWIY4VJpgJSwojMlqWiDUXL8nfh56 sOJg== X-Gm-Message-State: AOJu0YwoanHt8Xj4pdZdPnvespUMBBDT92Ve17aloC+BqKFT+NxmhPJz VUdbUydedtzDfdXS8UFZ/V/kqFiasEMraZ41DJEaIM00k+qNs+Uy5R9RY7aAXA== X-Gm-Gg: ASbGncsQqnJHMLslQ7graXpnr3LRexxm35CVP9M/KlDFOkmw/3umi3TCNu2AW6ArQKn EOQd/1lMGkxlufOQcJBxvnWE1OTotLZT9USQyQMGGXbod1COx81AmZySSiqwdyjnso9aM149kSn U2noaGCIuXj4+HQvnnz0L/zh3uwchBXUmYXv6k4g2b9QGmdbMS4j0vUMYuwpbxfHDnozMv7N+uT AzXkPYqiqrhL4Onz8/tNLUxMP9d5NxkahUL6VrRunIwQPmOlxS+F9LO3/wexxF240nCPPGqQNzy a29kDC83XCjsCgdr8gUyM1EGexbCsL/KfJrvraqiFAQYPQMzbjXnwf9VR8gboId41nCB4dMheVJ EJNVz9xSl1gcyCwdCEVe5+0YbWdUF1R6NjcVe7+Q= X-Google-Smtp-Source: AGHT+IE9ZpAy3ru8EjkhjmMWUw5BPMKoKCgl8EI7psrj5qv6uSarwKiI+D8qVhJb8RLj+SBsy7vnXA== X-Received: by 2002:a05:6000:24c4:b0:3f4:ad3f:7c35 with SMTP id ffacd0b85a97d-42582a0534bmr16108720f8f.27.1760453731055; Tue, 14 Oct 2025 07:55:31 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-426ce5cf790sm23263564f8f.28.2025.10.14.07.55.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 07:55:30 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 1/6] hdf5: patch CVE-2025-2153 Date: Tue, 14 Oct 2025 16:55:24 +0200 Message-ID: <20251014145529.1078084-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 14:55:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120612 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2153 Pick the patch that resolved the issue from the nvd report. Signed-off-by: Gyorgy Sarvari --- .../files/0001-Fix-CVE-2025-2153-5795.patch | 47 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 10 ++-- 2 files changed, 52 insertions(+), 5 deletions(-) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch new file mode 100644 index 0000000000..4b31718dea --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2153-5795.patch @@ -0,0 +1,47 @@ +From 183c8aeb601a02a38dd6815bcb651a7317b1b647 Mon Sep 17 00:00:00 2001 +From: Glenn Song <43005495+glennsong09@users.noreply.github.com> +Date: Thu, 9 Oct 2025 07:51:49 -0500 +Subject: [PATCH] Fix CVE-2025-2153 (#5795) + +This PR fixes #5329. Previously, the message flags field was able to be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t could be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they indicate they can be shared. + +The bug was first reproduced using the fuzzer and the POC file from #5329. With this change, the heap based buffer overflow no longer occurs. + +CVE: CVE-2025-2153 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0] + +Signed-off-by: Gyorgy Sarvari +--- + src/H5Ocache.c | 4 ++-- + src/H5Omessage.c | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/H5Ocache.c b/src/H5Ocache.c +index 87f321c..12c30cf 100644 +--- a/src/H5Ocache.c ++++ b/src/H5Ocache.c +@@ -1399,8 +1399,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t + else { + /* Check for message of unshareable class marked as "shareable" + */ +- if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] && +- !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) ++ if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) && ++ H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) + HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, + "message of unshareable class flagged as shareable"); + +diff --git a/src/H5Omessage.c b/src/H5Omessage.c +index 7190e46..fb9006c 100644 +--- a/src/H5Omessage.c ++++ b/src/H5Omessage.c +@@ -354,6 +354,9 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m + */ + assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); + ++ /* Sanity check to see if the type is not sharable */ ++ assert(type->share_flags & H5O_SHARE_IS_SHARABLE); ++ + /* Remove the old message from the SOHM index */ + /* (It would be more efficient to try to share the message first, then + * delete it (avoiding thrashing the index in the case the ref. diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 974007a3e9..345598c8f2 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb @@ -11,11 +11,11 @@ inherit cmake siteinfo qemu multilib_header multilib_script DEPENDS += "qemu-native zlib" -SRC_URI = " \ - https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${BPN}-${PV}.tar.gz \ - file://0002-Remove-suffix-shared-from-shared-library-name.patch \ - file://0001-cmake-remove-build-flags.patch \ -" +SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${BPN}-${PV}.tar.gz \ + file://0002-Remove-suffix-shared-from-shared-library-name.patch \ + file://0001-cmake-remove-build-flags.patch \ + file://0001-Fix-CVE-2025-2153-5795.patch \ + " SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b" FILES:${PN} += "${libdir}/libhdf5.settings ${datadir}/*" From patchwork Tue Oct 14 14:55:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72271 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF7CDCCD184 for ; Tue, 14 Oct 2025 14:55:40 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.web10.18751.1760453733742412303 for ; Tue, 14 Oct 2025 07:55:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=h4v7vC4M; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-46e3cdc1a6aso41393385e9.1 for ; Tue, 14 Oct 2025 07:55:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760453732; x=1761058532; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ulAmdF6rdWtEAGptHx+4X+xrCn4ji7JiGFv+/lPPwfc=; b=h4v7vC4MlbP2ePJC4yqdc6GRSHZC+nbRjwMarXQbMkb2ipt28i9g53CYeHcd3b4zdG 2rUQPMoEVkRUjw3yAgqFiHA/i/M+kTv5gcrQFudu3sHciJiSIe9L1xAbqTg8JOEr5R54 zp4RSrBZ+G3vjnjDZy06qC1mklTezQWrf+ECK345hwai2XylutOXBOaWhB8ZjXOfptI2 0fKWdR5YMXRfvouNdfblKBdGU8I8RobIk2Q1UYLY1hnGJ2CKhEIubrXGAwR5LsvlcEA7 qJlQHcCsXwdAO6r9TOMuOKqHJ8tl+B/YIAZhbC5TdK+k11mivYsRFcC9lKo/SpQmivxT HTwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760453732; x=1761058532; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ulAmdF6rdWtEAGptHx+4X+xrCn4ji7JiGFv+/lPPwfc=; b=HsJPPh0nG1+zNMl9j+46qvrJhjNo0REzHLzhz8MqTmHSiM8G03aY2MBF3nEi7Pcf/H v+uFRDunUNZnJb7rkBp7W0plin3+6PCNPSXjuL+vADASQ/Y3U/q4tHtUeoIIX7T2DPq1 hKQt5FS5jREg60bY1daIe6ANlfHiqZnSD40SqT7akdzslDsxP2ruamgaQvZ+QqIy+kH8 c7fskvy4Wtef5fyOPeo8XgP1kelNQm7VKCpy9OrnpwRmeEHn00drQzOKxX/Qioc/nZFg 3R5/toymlCcH8cf/kMqQvO+MGoCXC5ziAgLg5GXYf3dljwn2sI5Hq+PVNy3kJiorggwE kDBA== X-Gm-Message-State: AOJu0Yx2r0ox9SVk8Pq2LgkiT4hxcQHeoKverVER5zaOu8t+26zpFmBy glNpry4Rr1BV4JFu1zanXeU4sW19nTDQRjb/Np7TmAnPhr52TGacdD7SVFnDDw== X-Gm-Gg: ASbGncvr/tDsyobsExL6L3xRs4Wg8tkLOFZPV7JKitw1RxEma8ZVJvemxULsy+qPzgP OwWNvFEeQ0mK/CemsV5Gx25kMD/JYrEzFQGQjWwbhIcQcjlEdHCzTVH7ljfr9qwoxamEHqOlowQ r0pxIjJabfbAXB5KgD989AmHXaTf8EnUtfhCabNvEALo3jdl8g2mOav26JfwjVgSD7La5QeQ22E jp1iOkAc93/cc4e2x9oGZYZVgholj/HIWWpWS/YLPBhNg8ZwO5K9qTZnWH5y/iXSqkMFzB0uub0 FOSm4IjcAhm50ZP/LxP5ItjLmFZILTYHgQkuA6cSoxFIt0T6jLtNrDgEIsM1ri/wLpyVKoFIb+k jLyvRzye12CY4pBlZ8ZL1yvNm5W/t6u49t0rW2ttPkctJRdZuew== X-Google-Smtp-Source: AGHT+IEECuNkDslCjP+pNgzh/FGOxfXkUMAr/NlXXBCufZlEQM81EnUktCFb0fvDigMn8mXpJiA4LA== X-Received: by 2002:a05:600c:a411:b0:46e:1b9d:ac6c with SMTP id 5b1f17b1804b1-46fb1f77c2bmr110615195e9.17.1760453731970; Tue, 14 Oct 2025 07:55:31 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-426ce5cf790sm23263564f8f.28.2025.10.14.07.55.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 07:55:31 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 2/6] hdf5: patch CVE-2025-2310 Date: Tue, 14 Oct 2025 16:55:25 +0200 Message-ID: <20251014145529.1078084-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014145529.1078084-1-skandigraun@gmail.com> References: <20251014145529.1078084-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 14:55:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120613 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2310 Pick the patch that mentions the CVE in its description. Signed-off-by: Gyorgy Sarvari --- .../files/0001-Fix-CVE-2025-2310-5872.patch | 41 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch new file mode 100644 index 0000000000..f15a7f9644 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2310-5872.patch @@ -0,0 +1,41 @@ +From 7cc3c76f681fb4ca739457950352654aecd647a9 Mon Sep 17 00:00:00 2001 +From: Matt L <124107509+mattjala@users.noreply.github.com> +Date: Thu, 9 Oct 2025 16:10:23 -0500 +Subject: [PATCH] Fix CVE-2025-2310 (#5872) + +Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read. + +Check that name length is not too small in addition to checking for an overflow directly. + +CVE: CVE-2025-2310 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4] + +Signed-off-by: Gyorgy Sarvari +--- + src/H5Oattr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/H5Oattr.c b/src/H5Oattr.c +index 6d1d237..2f8c259 100644 +--- a/src/H5Oattr.c ++++ b/src/H5Oattr.c +@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + UINT16DECODE(p, name_len); /* Including null */ ++ ++ /* Verify that retrieved name length (including null byte) is valid */ ++ if (name_len <= 1) ++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid"); ++ + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + UINT16DECODE(p, attr->shared->dt_size); +@@ -190,6 +195,7 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u + */ + if (H5_IS_BUFFER_OVERFLOW(p, name_len, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); ++ + if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1))) + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed"); + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 345598c8f2..52727cfae3 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb @@ -15,6 +15,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${ file://0002-Remove-suffix-shared-from-shared-library-name.patch \ file://0001-cmake-remove-build-flags.patch \ file://0001-Fix-CVE-2025-2153-5795.patch \ + file://0001-Fix-CVE-2025-2310-5872.patch \ " SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b" From patchwork Tue Oct 14 14:55:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72267 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E279ACCD195 for ; Tue, 14 Oct 2025 14:55:40 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.web11.18809.1760453734476339812 for ; Tue, 14 Oct 2025 07:55:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dU7d1Dim; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-46e2e363118so46503555e9.0 for ; Tue, 14 Oct 2025 07:55:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760453733; x=1761058533; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=aDLBWH7XV0hI+ScZdGRi7Z/y/QhZY1nk+crgsvYpsQk=; b=dU7d1DimtuygNvKF3jRPlVKDu7TLFIjhtjSM8JY1FRUsgiUnqfaNnTleP1RGIjeSKO OCz1rDmCzwm4a68IkJuKEbtEHG+xEal4enpXeuHHhwuaNF7mun15Z++bMFzulxh6APTc 5L7QpNRymS3K739Jb2MeX9r6aCtkxYZo8lag4q9WMlIHnW+894Z4sjvohmvQLIfSyP0d 41ePiideBFexu/973C5IoYBxmV0RKyUtSGB6HCvj1EEFZwo3quEoFGodYQI9QN+LcAxb xiUikS1IsXW0wWKcn9XizGA02KLAcm1QmlRLgVqhP2O/idsOyxpsZIpAJ37t4O303F7s b7qQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760453733; x=1761058533; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aDLBWH7XV0hI+ScZdGRi7Z/y/QhZY1nk+crgsvYpsQk=; b=Rbm4HUP4Qp9gfzkhOxYLepYdfxPK+Aj0Kn4v9O+NS5byDliWaxm/+KXpT1jjkcm+6h 6WCp8TcZ5nMGPBaOLo9Jw9/8z/D2B2GW0yaexEz5MHIyQBM7Lmk7G+9l0xGfO1UuXaoV R3y58kaZkNc5NPiLMpN59FC9dm6iCoVBn66EK2hNII/kIpwNqTQ9++K+ggPezt46urVb EktTtw1ylWONlQNJDdGlXjAFWVhsGbUD4QRfcnxcbVLv6wfo7GfWnuHcmTwkK/OUDziZ 99eRBA6S+zAXLCZtCEY+qhkhKlS6Mpw6kDZwgV7jApKsVRnsJJGGCpaW+H72X3Y4sIHG YE7A== X-Gm-Message-State: AOJu0YyNOla6S+eoK4/h141bE4icMvNeH2S10BXjpFDg/DqyUvg2L1qO T5nsfmIpDPt3suKgOzQvQFVm8ByQ8F7gsqDNkUUP5NF1+YpCzIsehjJ12+3B9w== X-Gm-Gg: ASbGncupXox+7tzHUy0nOf6Q+C23W023Ob0NwGAtOL46KX3a2M5DGEpU7DkyzEjCoT9 cL3934F+WGAS8ecJNlEAzK/FxRASdvgQ5voNy754md5nc5ZJ8dnXOT7N0aibhpgyR7zHWl9WKf+ wc8SVcocOxK1r3+g/MfZFcxp2wRfBlaqb4gTSUI9xw2ze7Ga8aP3BuN3llOab5/H4aR44X5J8/p UNpKG27Gve02Uv2x29l10fYkuTH+C/Zyghtyew0top2YSaR75QIFW1wKRXl0n0PZyR+n05BhmBg h5G8x+CMeKO0sgmuYAGJqe8Khs6SrlugyxOzZNqzBLWdaGcGSw6YjpsGcAHAVq2/TRMioH8woDT 4j5Ub6Q+EAQ82EAKhzpe4IgletWFRTv72542EjpZUCVrCttRwFA== X-Google-Smtp-Source: AGHT+IGLHYGCiZN/gF2JowybsgWRdzWYwVGPuEICZ57FZj+fa7UDho+nKqVTstoum/XSnDMrCZ/9mQ== X-Received: by 2002:a05:600c:46d1:b0:46e:36f8:1eb7 with SMTP id 5b1f17b1804b1-46fa9a98e73mr153563675e9.10.1760453732782; Tue, 14 Oct 2025 07:55:32 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-426ce5cf790sm23263564f8f.28.2025.10.14.07.55.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 07:55:32 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 3/6] hdf5: patch CVE-2025-2914 Date: Tue, 14 Oct 2025 16:55:26 +0200 Message-ID: <20251014145529.1078084-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014145529.1078084-1-skandigraun@gmail.com> References: <20251014145529.1078084-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 14:55:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120614 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2914 Pick the patch that is linked in the issue from the nvd report. Signed-off-by: Gyorgy Sarvari --- ...efix-of-the-attempts-in-PR-5209-5722.patch | 47 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Refix-of-the-attempts-in-PR-5209-5722.patch diff --git a/meta-oe/recipes-support/hdf5/files/0001-Refix-of-the-attempts-in-PR-5209-5722.patch b/meta-oe/recipes-support/hdf5/files/0001-Refix-of-the-attempts-in-PR-5209-5722.patch new file mode 100644 index 0000000000..bb18879b5e --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Refix-of-the-attempts-in-PR-5209-5722.patch @@ -0,0 +1,47 @@ +From 0354419c3b5c6832c994b005903372f156b5fddb Mon Sep 17 00:00:00 2001 +From: bmribler <39579120+bmribler@users.noreply.github.com> +Date: Wed, 13 Aug 2025 14:45:41 -0400 +Subject: [PATCH] Refix of the attempts in PR-5209 (#5722) + +This PR addresses the root cause of the issue by adding a sanity-check immediately +after reading the file space page size from the file. + +The same fuzzer in GH-5376 was used to verify that the assert before the vulnerability +had occurred and that an error indicating a corrupted file space page size replaced it. + +CVE: CVE-2025-2914 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/804f3bace997e416917b235dbd3beac3652a8a05] + +Signed-off-by: Gyorgy Sarvari +--- + src/H5Fsuper.c | 2 ++ + src/H5Ofsinfo.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c +index d9fe3a7..1c8dc6c 100644 +--- a/src/H5Fsuper.c ++++ b/src/H5Fsuper.c +@@ -746,6 +746,8 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read) + if (!(flags & H5O_MSG_FLAG_WAS_UNKNOWN)) { + H5O_fsinfo_t fsinfo; /* File space info message from superblock extension */ + ++ memset(&fsinfo, 0, sizeof(H5O_fsinfo_t)); ++ + /* f->shared->null_fsm_addr: Whether to drop free-space to the floor */ + /* The h5clear tool uses this property to tell the library + * to drop free-space to the floor +diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c +index 5b69235..2bb6ea6 100644 +--- a/src/H5Ofsinfo.c ++++ b/src/H5Ofsinfo.c +@@ -182,6 +182,9 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU + if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5F_DECODE_LENGTH(f, p, fsinfo->page_size); /* File space page size */ ++ /* Basic sanity check */ ++ if (fsinfo->page_size == 0 || fsinfo->page_size > H5F_FILE_SPACE_PAGE_SIZE_MAX) ++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid page size in file space info"); + + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 52727cfae3..9327c8cc91 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb @@ -16,6 +16,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${ file://0001-cmake-remove-build-flags.patch \ file://0001-Fix-CVE-2025-2153-5795.patch \ file://0001-Fix-CVE-2025-2310-5872.patch \ + file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \ " SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b" From patchwork Tue Oct 14 14:55:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72269 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1294CCD196 for ; Tue, 14 Oct 2025 14:55:40 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.web10.18752.1760453735335492755 for ; Tue, 14 Oct 2025 07:55:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Zx1pNiPU; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-3ece1102998so3504133f8f.2 for ; Tue, 14 Oct 2025 07:55:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760453734; x=1761058534; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=IXS5Y5aiGj5ZQ6Yg1FkiGNLuGzpCB1cI0l55FXHAuIA=; b=Zx1pNiPUADTRvjguGM+4GYJLUkitQIRwDHavmXhses4wiT1kZariYhL30lbaT404Gu yv0F+UJlw05HAlpqk7e6J/4ZVjGjxPINg61TtG97Aq5lUnKReAMgQZ4di/MS4qju65uw 7juxZRTxYeSf0nGw8ibSv8i4NoWMB2RGvXMypiwszgapOBDuHcpOtLaWa8yWRzqs/zTr tZVBVX7+cpbby/Q0XoH6iGD2oL3JzTUgQIInmgBdMo8bBseA1HsJv75ocDaI6l80Ejpc XeFhskjh1N/i9biDIV4UEnBIZmDabqJST3u7I32jca89l1eBrXHddblowVUyYc+405FI hIKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760453734; x=1761058534; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IXS5Y5aiGj5ZQ6Yg1FkiGNLuGzpCB1cI0l55FXHAuIA=; b=LZl5WITZjsvTyrjf4fqKchkWDyrmdXWlI+0TnP5UP8GuEgxaehyWQH/V6egDrhFsFo 5iGOOAInVrrZ20232n68MrRe6rXt8qn9nnh/sQo6nhxbzQuxj+i50MjHD0+mu1tRQHDu JxkbjEhTDfHBFF7KxbWuT0n9K/HESkDUylLK7sXK0SBiYOFVUFlWqcC6ZOrbWIM4JbFy ELcNUCxwrZzZkyhzEyqf9JagFB4gpSOyOOWQCY0OGdLc49TQTush7cD58psrODhoHeho Goo+j1xB114JFJeEc4ACLrvbs7wi+fE3Z4Rtr5yrQfwN2AhdO4UycQ21F7RImf/V5pk+ E7Rw== X-Gm-Message-State: AOJu0YzvHZ9g2NqM0d8+FGw6zfCK//WaPUtevm+QpWmNLVVvWLNzXAlo GKfloge3d0km3qSD+buTqhfQohZiVoqLRARaVe2RM5hOx/4AvWE4Ce9QsLJrTQ== X-Gm-Gg: ASbGncvrvqbgQi/r/6f7oDjlCLL8cFhEWiugDJpJlZDHiAx6x4IcQpSmrRyXKoWAW5L mscPZKuW7tM1CT2Q+Zn17+vjp5qEf+ZlNUYrrVFWjkaydkIhWFr96lvgTJZi/TVMRU0GSe7K17F 0RmSHGwEzdJNNDKq8J2XlfmDGzpONUA2/hbA45wppIg6NumIGvv7lI/wLtYrwJVGHPKdWj8xsFt YondknKWwD+K1QfIy4gn9DlkILGmpYY9KXjOS16IYR4ylqcW+Sseaf1OZ6Dab9c83i2AGt2v1PK EAMVGWhg+ezpNM/l/u9cFNI9kgwsmB5DzLbM3urasMWdSGkxxsbUkgNPzrQWgDpJVv4XdKGWF/V 2E9MH2BMePH3BSgEcZf91yAMD+pKmh3mUcZFytpk= X-Google-Smtp-Source: AGHT+IHklQMFDEd0dMb2n+XNCvVlKPcfFa8q0JxdU2Fm4/b1QMv5knXBQ2qIRYuJ3jgnyekE4sXHqQ== X-Received: by 2002:a5d:5f93:0:b0:3e7:4893:f9be with SMTP id ffacd0b85a97d-42666abb485mr14896071f8f.12.1760453733653; Tue, 14 Oct 2025 07:55:33 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-426ce5cf790sm23263564f8f.28.2025.10.14.07.55.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 07:55:33 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 4/6] hdf5: patch CVE-2025-2924 Date: Tue, 14 Oct 2025 16:55:27 +0200 Message-ID: <20251014145529.1078084-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014145529.1078084-1-skandigraun@gmail.com> References: <20251014145529.1078084-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 14:55:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120615 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2924 Pick the patch that is marked to resolve the issue linked in the nvd report. Signed-off-by: Gyorgy Sarvari --- .../files/0001-Fix-CVE-2025-2924-5814.patch | 36 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2924-5814.patch diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2924-5814.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2924-5814.patch new file mode 100644 index 0000000000..a86b5a491b --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2924-5814.patch @@ -0,0 +1,36 @@ +From f76c5adea55edec75680fdd7365cc97abc112d0e Mon Sep 17 00:00:00 2001 +From: Glenn Song <43005495+glennsong09@users.noreply.github.com> +Date: Mon, 15 Sep 2025 07:56:54 -0500 +Subject: [PATCH] Fix CVE-2025-2924 (#5814) + +CVE: CVE-2025-2924 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/0a57195ca67d278f1cf7d01566c121048e337a59] + +Signed-off-by: Gyorgy Sarvari +--- + src/H5HLcache.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/H5HLcache.c b/src/H5HLcache.c +index d0836fe..7f412d2 100644 +--- a/src/H5HLcache.c ++++ b/src/H5HLcache.c +@@ -225,6 +225,7 @@ H5HL__fl_deserialize(H5HL_t *heap) + /* check arguments */ + assert(heap); + assert(!heap->freelist); ++ HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t)); + + /* Build free list */ + free_block = heap->free_block; +@@ -232,6 +233,10 @@ H5HL__fl_deserialize(H5HL_t *heap) + const uint8_t *image; /* Pointer into image buffer */ + + /* Sanity check */ ++ ++ if (free_block > UINT64_MAX - (2 * heap->sizeof_size)) ++ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow"); ++ + if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size) + HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list"); + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 9327c8cc91..39326d3072 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb @@ -17,6 +17,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${ file://0001-Fix-CVE-2025-2153-5795.patch \ file://0001-Fix-CVE-2025-2310-5872.patch \ file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \ + file://0001-Fix-CVE-2025-2924-5814.patch \ " SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b" From patchwork Tue Oct 14 14:55:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72272 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 020E2CCD192 for ; Tue, 14 Oct 2025 14:55:51 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.web10.18753.1760453736181622137 for ; Tue, 14 Oct 2025 07:55:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LAQDSYlq; spf=pass (domain: gmail.com, ip: 209.85.221.54, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-3f0134ccc0cso4175803f8f.1 for ; Tue, 14 Oct 2025 07:55:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760453734; x=1761058534; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=S83aKz+WzGp9WndEJMpk60hwY2g2ZNH9Hn1EFXSWNH8=; b=LAQDSYlqCovP4zxRB/st42KAeEkyS0sNdxkWhJ1kEXb0I7MbPA9H9LMV0tRvPm3JaB EPG50ejxeg3e3RPTOjiUPzR9+g66NYRvfh12fLkaDrAeeWs32Jtgdw+CjWYWx6cOuqHP 0pBZqC+pHQKRNNeFQMFSzaTuMG9ocWrrpgHcSRlQ06qXHZK7ravvlDlghFz70E24Mswx eRR+votXweZJG4Nhu+aLcO4gQ5O9z4MNQG3MTo1nZFZYE61knzpq0Vd+CNFYw1J6d2lT sql1B2s6w+Pp4evQOkBw6310JF2GqmmxOQjNz8giKhExr7DxeaZS7fVc6Dd3mtffvKab C4jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760453734; x=1761058534; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S83aKz+WzGp9WndEJMpk60hwY2g2ZNH9Hn1EFXSWNH8=; b=L1GjyOijfWQJ7Ol0uiOJw3iYyRUCgpAbwtZUaPVhYdVa4Il0rpAUndBwuztZN+Nz4K wMaDQYFaVgrdTa6sGOu9PcqLnpHMbIHLNlXx7dNLbwOxjzvssXqa7YjHyobuJ1g1IieC 7LlBS3LpQIW05bRQP/FRn8LsC7bSZYxNZmhAcKZhwpEBFllV4dZRazrYWjrn5Vp40scc Fu9dzSNULoqWjlW9dLUayzAlBFwLGDHGj9sEM3IRTwhKEmWRutVYsoi+8E0Em1y64Mgm nCh1QGwU4H1ob7V7Gxl+CbmA1c3c0/OU6OcmZud/6V5/DVRDMFQCyeFynr0rwpuh8ydT NrKg== X-Gm-Message-State: AOJu0YzS3KKqVfcryYqVUFZEzkEDIvhvWDjxgd2CQqrQdLxtnl0LT2VL PEVZ0PXvldgjAKlOY89CfNnJ+gMNoNo13jl7k9aHXDg9T9lXCT1U/hh26QRWFg== X-Gm-Gg: ASbGncvDmhiTJ45DMe5KhM3yyQVh3wW0x2qgqOXKGzAlG7VvaOWvFGMFe+vwm6hiocl fNPYstKVM2N4VzJhi99YoTL+/pWNxcouRBgs1ZErxPdjyCYPWpyxjk5ky8QpIJoKnaQt3+kt4HG r27+W3MAxoKgAc+o+4cBf0n+6QWuMxWZa8pWvNZLfFWIEJzw41hfaJN8oXcMwqK4Q1fxfIccTVV SOnzDV0wSGa8uESzo6zW2UsebBgKi4iWtaEwTzKYf5G38uJdeLAkl9sU1GnGZQgWmDFFwcz69J2 pyZGyWIGVBZmV0byV155jkcMNB4Dfz6cFBmGw9iqnm1zW4hTWghynclyJidsFhsxYE6UZ8DjG3M CFlvllWSH6qBcv30FghlHAA/YjwHF57iZC3yWye8= X-Google-Smtp-Source: AGHT+IEO97SIOO41nidmYstjjaGNPiyZuzwNTCYuTnN0hGm+5NbGkwVWs4Pe6apFprNsE5wxIR0WqQ== X-Received: by 2002:a05:6000:4b16:b0:426:d54d:224d with SMTP id ffacd0b85a97d-426d54d22bemr9384695f8f.27.1760453734381; Tue, 14 Oct 2025 07:55:34 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-426ce5cf790sm23263564f8f.28.2025.10.14.07.55.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 07:55:33 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 5/6] hdf5: patch CVE-2025-2925 Date: Tue, 14 Oct 2025 16:55:28 +0200 Message-ID: <20251014145529.1078084-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014145529.1078084-1-skandigraun@gmail.com> References: <20251014145529.1078084-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 14:55:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120616 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2925 Pick the patch that's marked to resolve the issue linked in the nvm report. Signed-off-by: Gyorgy Sarvari --- .../files/0001-Fix-CVE-2025-2925-5739.patch | 52 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch new file mode 100644 index 0000000000..7a0afba423 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch @@ -0,0 +1,52 @@ +From ad959fdac99810ea64504d7bdfc7724c5ca25e21 Mon Sep 17 00:00:00 2001 +From: Glenn Song <43005495+glennsong09@users.noreply.github.com> +Date: Thu, 9 Oct 2025 14:48:55 -0500 +Subject: [PATCH] Fix CVE-2025-2925 (#5739) + +This PR fixes issue #5383, which was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being 0. When realloc was called, it freed image, but gets sent to done before new_image can be assigned to image. Because the pointer for image isn't null, it attempts to free it here again, causing the double free to occur. This PR addresses Quincey's concern and fixes the issue while preserving new_image and image. + +The bug was first reproduced using the fuzzer and the POC file from #5383. With this change, the double free no longer occurs. + +CVE: CVE-2025-2925 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc] + +Signed-off-by: Gyorgy Sarvari +--- + src/H5Centry.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/H5Centry.c b/src/H5Centry.c +index 1ca7479..77bc00d 100644 +--- a/src/H5Centry.c ++++ b/src/H5Centry.c +@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f, + */ + do { + if (actual_len != len) { ++ /* Verify that the length isn't a bad value */ ++ if (len == 0) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value"); ++ + if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE))) + HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + image = (uint8_t *)new_image; ++ + #if H5C_DO_MEMORY_SANITY_CHECKS + H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); + #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ +@@ -1104,10 +1109,15 @@ H5C__load_entry(H5F_t *f, + if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA"); + ++ /* Verify that the length isn't 0 */ ++ if (actual_len == 0) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value"); ++ + /* Expand buffer to new size */ + if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE))) + HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + image = (uint8_t *)new_image; ++ + #if H5C_DO_MEMORY_SANITY_CHECKS + H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); + #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 39326d3072..3ff96d7301 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb @@ -18,6 +18,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${ file://0001-Fix-CVE-2025-2310-5872.patch \ file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \ file://0001-Fix-CVE-2025-2924-5814.patch \ + file://0001-Fix-CVE-2025-2925-5739.patch \ " SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b" From patchwork Tue Oct 14 14:55:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72270 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 070F2CCD197 for ; Tue, 14 Oct 2025 14:55:41 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.web10.18754.1760453736927562901 for ; Tue, 14 Oct 2025 07:55:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mGUnugg5; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-46e6674caa5so28517475e9.0 for ; Tue, 14 Oct 2025 07:55:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760453735; x=1761058535; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JDDmDohyHW5NbEtsJ1pbWkdqgDQMt2doyR83p+avG/8=; b=mGUnugg5miBjsY8GGq22oL3OM8U9EAZ9gigC45bs9Ptk+rz5jpwLZlFlF5B4xfyr9x +b6nAYs0Rj8jXUk3D4CaCUjWkXDbxz4Q9fKj3LFUrmcbghatejoxdp/mwRFd5Fgh8qRB jOGWcPTa5Ljxy/WnyY8U5PAfMO2Gr7T4ItyG4ANiQ0LWAT8Vz7AGtzYaXU8WAbs9Iz/c vHRzdNfLvPV0ojqpDXNqXzUADDO/oWoZUOd1vEX5E98fvpnGGBn98WUuhtZA6f5O9WeH fo4qcBBGzSOGCRgMVBmDpfzWm+0WIaC/y0bAS6QgB6Rjiek30NXnrtMr7xfsK1HYODZZ NK0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760453735; x=1761058535; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JDDmDohyHW5NbEtsJ1pbWkdqgDQMt2doyR83p+avG/8=; b=IU09v681WY2HINEqdG7Mdq1JiKa8kCt2RE1SeyasRfEB0MrW+v3+imMtbBtNMFpZiR 0jfCvpPCO7uf2D36SupWvYMvwKp/QcNXpBWnZnOOpR52ZTu0/IJS+szLN/wgyd5n7KJ6 X/eEGkH12h33JYk3EjDZH1qoubLcK4CqzG5HFPGI1prRdJkhSzIGCTO0twqHAWJK8MW8 6ZRE1NKB9nKUEgDrVr+XJNUhfq0Abv+2htraStp5rgFPsHQqsyXomge2Io/g8iRn2ZQL J5DzYX71/ORwnG91vvQgsdDX37W1nZifLt2hooZSEaOgFLwwC2V33hPBTiMhMBg0vIL4 aePQ== X-Gm-Message-State: AOJu0YxldRWoO0iVaDkny1TYvJBts8TJHK6X8iyT0aN96eGlcnUtDS2Z PrHHlnSNdfN3YG7BhDTSZH7LR9NFxoHc4vCv0/tBW04VkBtxXHXxv4z8i4Mc9Q== X-Gm-Gg: ASbGncufmdxPxjT+rxMIyUWngcLUAiR4/R0swi/o836VNFN4zkDi312PVF8jtDisgpU tchQ6cx9q4gfkryMNtUgY4HhSblecDwYtuV/Z3y9v/DphLTJeLp2pgDSY3ZTDhuzEdJD3rvFhhq Y6W1IbsR8pBHZC/zeDxIP7Gbb3Ia7vi1eWmY6tGR7UrtO7aeFXc1pbymHgQQDa0fuCtxnnBVijB 5/OwoQJw22qHG54nIEI+/EwDiAFcp7Pm5EjO0qFue6R9B6m0Ieb3JiVaKQoGxMKBh58ch6fTLCF /PW3zEqap+o+MIvG/SYAg2mncd21ChgfHaMZwdpiQxiYBneouL/lEwH0NjqGrtE+b1zxTWaTXkY 8fISrreEHllrGEBaPDwa3n3ZKcY5hYkyfT35C3u8= X-Google-Smtp-Source: AGHT+IH6dSBQrgiuMcu0bvY6WleO9U9Tw3bSti8yJQ6y5wiyBwu0Ww8cHei9WdiJKZfvxe5Mwv+L8w== X-Received: by 2002:a05:600c:458b:b0:45d:5c71:769d with SMTP id 5b1f17b1804b1-46fa9e9a2e5mr206696545e9.8.1760453735089; Tue, 14 Oct 2025 07:55:35 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-426ce5cf790sm23263564f8f.28.2025.10.14.07.55.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 07:55:34 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 6/6] hdf5: patch CVE-2025-6750 Date: Tue, 14 Oct 2025 16:55:29 +0200 Message-ID: <20251014145529.1078084-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014145529.1078084-1-skandigraun@gmail.com> References: <20251014145529.1078084-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 14:55:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120617 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-6750 Pick the patch that is marked to resolve the issue linked in the nvd report. Signed-off-by: Gyorgy Sarvari --- .../files/0001-Fixes-CVE-2025-6750-5856.patch | 87 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch new file mode 100644 index 0000000000..cf8687f010 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch @@ -0,0 +1,87 @@ +From 7159488b73fb429a78f79763f7b3775a3c160fad Mon Sep 17 00:00:00 2001 +From: bmribler <39579120+bmribler@users.noreply.github.com> +Date: Fri, 26 Sep 2025 11:46:50 -0400 +Subject: [PATCH] Fixes CVE-2025-6750 (#5856) + +* Fixes CVE-2025-6750 + +A heap buffer overflow occurred because an mtime message was not properly decoded, resulting in a buffer of size 0 being passed into the encoder. + +This PR added decoding for both old and new mtime messages which will allow invalid message size to be detected. + +Fixes #5549 + +CVE: CVE-2025-6750 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54] + +Signed-off-by: Gyorgy Sarvari +--- + src/H5Ocache.c | 41 +++++++++++++++++++++++++++++++++++------ + 1 file changed, 35 insertions(+), 6 deletions(-) + +diff --git a/src/H5Ocache.c b/src/H5Ocache.c +index 12c30cf..e6095a7 100644 +--- a/src/H5Ocache.c ++++ b/src/H5Ocache.c +@@ -1265,6 +1265,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t + if (mesg_size != H5O_ALIGN_OH(oh, mesg_size)) + HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned"); + ++ if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end)) ++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end"); ++ + /* Message flags */ + if (H5_IS_BUFFER_OVERFLOW(chunk_image, 1, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding"); +@@ -1297,12 +1300,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t + } + } + +- /* Try to detect invalidly formatted object header message that +- * extends past end of chunk. +- */ +- if (chunk_image + mesg_size > eom_ptr) +- HGOTO_ERROR(H5E_OHDR, H5E_CANTINIT, FAIL, "corrupt object header"); +- + /* Increment count of null messages */ + if (H5O_NULL_ID == id) + nullcnt++; +@@ -1449,6 +1446,38 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t + HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount"); + oh->nlink = *refcount; + } ++ /* Check if message is an old mtime message */ ++ else if (H5O_MTIME_ID == id) { ++ time_t *mtime = NULL; ++ ++ /* Decode mtime message */ ++ mtime = ++ (time_t *)(H5O_MSG_MTIME->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw); ++ ++ /* Save the decoded old format mtime */ ++ if (!mtime) ++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode old format mtime"); ++ ++ /* Save 'native' form of mtime message and its value */ ++ mesg->native = mtime; ++ oh->ctime = *mtime; ++ } ++ /* Check if message is an new mtime message */ ++ else if (H5O_MTIME_NEW_ID == id) { ++ time_t *mtime = NULL; ++ ++ /* Decode mtime message */ ++ mtime = (time_t *)(H5O_MSG_MTIME_NEW->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, ++ mesg->raw); ++ ++ /* Save the decoded new format mtime */ ++ if (!mtime) ++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode new format mtime"); ++ ++ /* Save 'native' form of mtime message and its value */ ++ mesg->native = mtime; ++ oh->ctime = *mtime; ++ } + /* Check if message is a link message */ + else if (H5O_LINK_ID == id) { + /* Increment the count of link messages */ diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 3ff96d7301..7d75f0e7dc 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb @@ -19,6 +19,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${ file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \ file://0001-Fix-CVE-2025-2924-5814.patch \ file://0001-Fix-CVE-2025-2925-5739.patch \ + file://0001-Fixes-CVE-2025-6750-5856.patch \ " SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"