From patchwork Tue Oct 28 11:32:41 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 73171
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D5398CCD1BF
	for <webhook@archiver.kernel.org>; Tue, 28 Oct 2025 11:33:07 +0000 (UTC)
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
 by mx.groups.io with SMTP id smtpd.web11.6119.1761651180903942108
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:00 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=B3wuc5DF;
 spf=pass (domain: gmail.com, ip: 209.85.214.182,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-2698384978dso38546555ad.0
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761651180; x=1762255980;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uMHRSG85Gq7EydzeDR/zlRniAjJ6MKLN8tA4pc7+tHY=;
        b=B3wuc5DF495/ZfE4o69TcD1zwJ40KazY2mNHoGSVy0iCovp6gdhedFLUWB2nmkmaST
         lT3AEZnPgY2xBlBryV2pvkHClGTPbq2d7gKDozS8kbcilBL4kqvMXOfUqIPGSPPCUFo5
         AHfy5vFMwlUn+a74VdzHOWa5OLyNQQ1YxCdmsrWRPqbtziuk1bQivMdjl4OHkTX83amZ
         dNnhnqPFA6rK3nP2+32W8N8Fifmnw99tpKMmuqdBiMJ/NgVeMO38bOX9bDKYfkeVa2Yc
         h6t4JYvteQhVeZokr+K+yVbctSWLTORzHl/8yawqkLelFE3LexI7FWDHv8o1KfF4vSlC
         sslw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761651180; x=1762255980;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=uMHRSG85Gq7EydzeDR/zlRniAjJ6MKLN8tA4pc7+tHY=;
        b=Y1d5t7zeQphgxJc3t8gyRFozt/geM2IoBqmXWQo0ASQzhtYNyjmp07bUwBLKiuaLBh
         AADq82xNJzAe60/6OCiAn+GzHe1NHgnuvbmeZgXwY+N+0zzAKzFGecaauyk1/Da5ykrH
         2MyV4+FCn1/H97XISls/eJ6wGjSILOyPN2QcjRbLdtec2gOIo8rUJEOv5FBs5gA/U6qZ
         gpQJT7vtt4AWEnJj4Bni5aMbJDULaLiKWGoUFdsZFplX/79+b/iQ8ndKl143Zbo1jOEx
         HdJ/X3lyvwRWLeBezKhdItCRn9hLzf0u5Jq0fe8hAxzd+OWaqCHcnvyf42QZqm+22jcu
         X+5g==
X-Gm-Message-State: AOJu0YxIufS2Y5m+wvR8V4uQ8VFT602kjJ2iYt1NUDfgsIWIaPHsUZxL
	czUprdDhNT8C7B7LKzIM1M8xwh+QZQtgPOcVp9AcCOSfCuAyh50pfKYVtS3wFw==
X-Gm-Gg: ASbGncvgjD0zvd2nR4Elzaa0PkhpxsbDj+gHFkJhZ6rWLVvx0JZpalxJto1ofeRQ/s1
	sr1KW9F59AGyADHFjtAq91BzkI2dtKh/iEHg4/zBSJfV9Ulsvfh8rilTjxLmQazrOHXbYkUPJ8Y
	LORBVFNkzL+c3jwLQyZKjjcKVLIiPTAYNm9fG2VENg8cR+V52ccbH+gkQ84RkYBVg6Se5LPaYpE
	sucaJahBTDdCQ/QjwLpkPNyY/JxCfNUNM4UpuExOmBWmbNqZKzjSinvC+UFcHP/s7v75EEXXMFB
	WEYxhCJ7xJJD+yd08pAPP5Mai3PxITB0IENlmRzfsqcxr2jrxHNx2Nnkg4vSLvvsJ/bW5vP/pp+
	VdANtcAIOKtnpl0/leFiZaO/IDj+KTDDahFJa4dW6EQIudRjD761sVhpV/4fl/YHStlGcLMsicB
	MpqWbSMNZ61tGZp5E9kgx/WkTN
X-Google-Smtp-Source: 
 AGHT+IGKzx4S/855Hi5MF81y50mrZaUQME1vqk0DZF0FSbrhg0NkxZDeEsgVN0BodUf9ckZdplt38g==
X-Received: by 2002:a17:902:fc85:b0:294:cdc2:6e84 with SMTP id
 d9443c01a7336-294cdc27181mr32680435ad.17.1761651179873;
        Tue, 28 Oct 2025 04:32:59 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-33fed81c9e5sm11819686a91.17.2025.10.28.04.32.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 04:32:59 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 1/7] hdf5: patch CVE-2025-2913
Date: Wed, 29 Oct 2025 00:32:41 +1300
Message-ID: <20251028113247.1761834-2-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
References: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 28 Oct 2025 11:33:07 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121079

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2913

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/CVE-2025-2913.patch            | 32 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch
new file mode 100644
index 0000000000..e1614bee9b
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch
@@ -0,0 +1,32 @@
+From 538a14fc5a1ed393495029d5054d934bc09844ee Mon Sep 17 00:00:00 2001
+From: bmribler <39579120+bmribler@users.noreply.github.com>
+Date: Tue, 5 Aug 2025 09:12:33 -0400
+Subject: [PATCH] Fix reading bad size in the raw header continuation message
+ (#5710)
+
+This issue was reported in GH-5376 as a heap-use-after-free vulnerability in
+one of the free lists.  It appeared that the library came to this vulnerability
+after it encountered an undetected reading of a bad value.  The fuzzer now failed
+with an appropriate error message.
+
+CVE: CVE-2025-2913
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a09c892bc97ac32d9515c3777ce07]
+(cherry picked from commit 7cc8b5e1010a09c892bc97ac32d9515c3777ce07)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Ocont.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/H5Ocont.c b/src/H5Ocont.c
+index 621095a198..c03f4dd1e9 100644
+--- a/src/H5Ocont.c
++++ b/src/H5Ocont.c
+@@ -100,6 +100,8 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
+     if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_DECODE_LENGTH(f, p, cont->size);
++    if (cont->size == 0)
++        HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid continuation chunk size (0)");
+ 
+     cont->chunkno = 0;
+ 
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index f34e5f183d..d195ec2486 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
     https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \
     file://0002-Remove-suffix-shared-from-shared-library-name.patch \
     file://0001-cmake-remove-build-flags.patch \
+    file://CVE-2025-2913.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
 

From patchwork Tue Oct 28 11:32:42 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 73173
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D9E1FCCF9F0
	for <webhook@archiver.kernel.org>; Tue, 28 Oct 2025 11:33:07 +0000 (UTC)
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
 by mx.groups.io with SMTP id smtpd.web11.6120.1761651183239199143
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=ARo4eTYX;
 spf=pass (domain: gmail.com, ip: 209.85.216.49,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-3304dd2f119so4543970a91.2
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761651182; x=1762255982;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FX9Qj3ZlkXcgdmsuRrv2T+hKmQUAmQwg7sjshEgmzs4=;
        b=ARo4eTYXD9zf3orUZ4eVOo2//s1bu6NSwLrZ7PxcF54LKfRK6SSu4MrbJ4DTlpCyJ/
         jqno+sM4pVJYwOEzbBZpv7lnmOq+Drp9WPLYhc2eIubhDWa/kIcSSa1wbXlVk1pGeffm
         quwreeXoGU0+/pGixV+IDk7WjEj4PYVSd7ZL7swoINWjje6Jiyo9OcqwORI9bZe96tyo
         nwiEZd+4B98x7MGFTSGQp7HHWiGwgI55lUx+fxdQGidfVEvipkIJaaCAeePppn6cpSkP
         1Q+un4Jeh5IVnBGYMiD8t9EjlyHgfPLq30//uE2TSzio4ePCYMSvYjvx7c8cB7CxWS6g
         V1uQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761651182; x=1762255982;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=FX9Qj3ZlkXcgdmsuRrv2T+hKmQUAmQwg7sjshEgmzs4=;
        b=CWUYXtfn9ai2OxHU2aB3eqerAR02WP7eGEGj4bXI9Nmg823yJS1ePtBI59flduQGUP
         wfGb033ErxIigaXwlOId4xNToSglbaMZsv3E6TFpHkqZ6VrwFKvBEOtg6Px3HMSRLoHY
         z4jWUlto3HvSfzTB/7fwy6iHGKTPct3coYlGLfV8q2PYqKshrp1HnMCgIeLjZHtxlr3c
         18ep7TLaDlfMH4buH7sAf3badLADoEpllRt5ElqjL+0nzROLxEE2obAb2L0ad4m8u40Q
         tfWxU+QwLJFJVDTlQD8FFckShtWbU5WFMiWouCBILM3WjkfXjhoFY3U2e8K5EKEpj+IJ
         bBWA==
X-Gm-Message-State: AOJu0Yw0g5fh57Lg394Di/9ytQp/6r8O2minp3EnzNq8+c/Ulb8RDCuD
	sARo+vPhR5zzzuoPP/H7gBbaPh4nr8D2m1E8yJVWX5lRq8qJAcCWrgrT25fZvQ==
X-Gm-Gg: ASbGncturiXiyRVQ0PJ9Hh4wo1Hjx+NdSgCQkFnLc8eu5zEsxHZohcWKpmRLIe/SuJ3
	sf6U1YmO+J7rgLfTCtEFhwE53iReiXjzsn2o1hhqZdQOiZ/etmTv0tg1xaTGERVHnyAXM2MksTQ
	WdTVNGezq5GfKIwSfTss59bTxoUF/IMKdOnbCCIjU2//Oekat2I48N8Tf38pbcpZdBut/oeEzbT
	aZ+2urUF2a5s/YTuPp8bhIYswYx2Zl9iFiw4ewQ6AiEirarDO8A+kBIBH7WPDva4+UIwy6HveWj
	ln+qe+J2hBvsmn2rS1UzfR8w4l+fhTut46ZID6mVNJwuEBBnHxJPEDPOZ15w3sMi9M621Va/jYx
	wFtaZFQo32iNkVxaX7XPVwLQoaAx2h0nOKpwV/Y5AKlc+tYpkjH8G9B5fC6wwZBkxMSwnFouf5d
	9WEHiyP/rEipaiqg==
X-Google-Smtp-Source: 
 AGHT+IF+en614OnFpJOY2vIUOmImpJtl6GkTY9zv+ssiaI66CKZfeS4goPHs7P2jFLOKuQKzlAEDSw==
X-Received: by 2002:a17:90b:2541:b0:33b:cb9c:6f71 with SMTP id
 98e67ed59e1d1-340279e6096mr3832702a91.1.1761651182250;
        Tue, 28 Oct 2025 04:33:02 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-33fed81c9e5sm11819686a91.17.2025.10.28.04.33.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 04:33:01 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 2/7] hdf5: patch CVE-2025-2914
Date: Wed, 29 Oct 2025 00:32:42 +1300
Message-ID: <20251028113247.1761834-3-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
References: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 28 Oct 2025 11:33:07 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121080

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2914

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/CVE-2025-2914.patch            | 47 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2914.patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2914.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2914.patch
new file mode 100644
index 0000000000..c999e39d7e
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2914.patch
@@ -0,0 +1,47 @@
+From 20a34d68dd837f83d90df45ead054bbeda999830 Mon Sep 17 00:00:00 2001
+From: bmribler <39579120+bmribler@users.noreply.github.com>
+Date: Wed, 13 Aug 2025 14:45:41 -0400
+Subject: [PATCH] Refix of the attempts in PR-5209 (#5722)
+
+This PR addresses the root cause of the issue by adding a sanity-check immediately
+after reading the file space page size from the file.
+
+The same fuzzer in GH-5376 was used to verify that the assert before the vulnerability
+had occurred and that an error indicating a corrupted file space page size replaced it.
+
+CVE: CVE-2025-2914
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/804f3bace997e416917b235dbd3beac3652a8a05]
+(cherry picked from commit 804f3bace997e416917b235dbd3beac3652a8a05)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Fsuper.c  | 2 ++
+ src/H5Ofsinfo.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
+index 3e5bc9a3a2..4de4c1feb0 100644
+--- a/src/H5Fsuper.c
++++ b/src/H5Fsuper.c
+@@ -756,6 +756,8 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read)
+             if (!(flags & H5O_MSG_FLAG_WAS_UNKNOWN)) {
+                 H5O_fsinfo_t fsinfo; /* File space info message from superblock extension */
+ 
++                memset(&fsinfo, 0, sizeof(H5O_fsinfo_t));
++
+                 /* f->shared->null_fsm_addr: Whether to drop free-space to the floor */
+                 /* The h5clear tool uses this property to tell the library
+                  * to drop free-space to the floor
+diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c
+index 5b692357fc..2bb6ea6119 100644
+--- a/src/H5Ofsinfo.c
++++ b/src/H5Ofsinfo.c
+@@ -182,6 +182,9 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
+         if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+         H5F_DECODE_LENGTH(f, p, fsinfo->page_size); /* File space page size */
++        /* Basic sanity check */
++        if (fsinfo->page_size == 0 || fsinfo->page_size > H5F_FILE_SPACE_PAGE_SIZE_MAX)
++            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid page size in file space info");
+ 
+         if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index d195ec2486..875510b0e2 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
     file://0002-Remove-suffix-shared-from-shared-library-name.patch \
     file://0001-cmake-remove-build-flags.patch \
     file://CVE-2025-2913.patch \
+    file://CVE-2025-2914.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
 

From patchwork Tue Oct 28 11:32:43 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 73174
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E5CDACCF9F2
	for <webhook@archiver.kernel.org>; Tue, 28 Oct 2025 11:33:07 +0000 (UTC)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
 by mx.groups.io with SMTP id smtpd.web11.6122.1761651185222705174
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:05 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=FLE8rpan;
 spf=pass (domain: gmail.com, ip: 209.85.216.45,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-339d7c4039aso4916515a91.0
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761651184; x=1762255984;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=G6mD0rciKSgctcwUuzTmY8rl+ocmnKjko32gTGsATl0=;
        b=FLE8rpanQAMQtvuFp+K2HHBPQoYb9IpsUXNAUAKvQX5Kt5H6e4rz9dfVErbG0/6E2j
         2FguqcvQX1QrEv2iM2D1F/cxpKCgYBc0Eoz2osNUcQtLs829Cij9aAq4PZznjia/Y8Su
         gDOMm1CN4vY5HOWD0CRMD5x3lC5k6vaNuMA8qQ5fJmN/f0pJWg1js+VX0l66vygFzikp
         76352jxUbe6gZLC99Ag7YaTpdq8g8GxvDvGbj0y+MHamGQ0XiBhQk8OFtVSQCxcLvvcU
         Ex12CkQSu2URAE3gn0mM9ED5R9RDAQBmm1eaWLaXPnRWlF+hENJ85oGKn5veeUTTNcBX
         Ui6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761651184; x=1762255984;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=G6mD0rciKSgctcwUuzTmY8rl+ocmnKjko32gTGsATl0=;
        b=VFkETORkSSE68C5fi2ne14SFfR144Z2+vI3sIjXEeVDcTWaN4FbAA/9fbU8WwNWQc9
         +kg/Pu13+51PPHEP+GfCdxRWQjuiJpP6ebS7i3dG+UKRAb4fv3oOGNcKqE76/CyMSPK2
         AJvaDAzAAkI7KSRQXBcrMMKZmRKcircsojV6mXLSOYjpI3auYp0AM/mfrT/9pfqJP+mA
         oXF4ob6PkJcGCEiaKfvgKThCSes2g3z8JEQnESb7dK3eRXPXMsLmkW2VC6IrZvKISoNR
         wIICRzFZRiVu1mUwSOwSTVrpqfKvNeS50PVyJ9tLBFu+lG/D7mGaM3dZ3oaYOVp6+U7v
         P0LA==
X-Gm-Message-State: AOJu0YyRKJDjaggvOBvE9R8UH294UA0KV3bQNuAXgfcthIOHfAnH/xPL
	JQcMYTuq7mdCHF/28qGyiqfRqnMiqJswO10Of60FIoZC3Gg+9qTjfA5Aum7buA==
X-Gm-Gg: ASbGncuqygGz4wpCddZ2INycm+Daop5GQPFAiydSvrWZUGxsKqBaozeqytKvp6YbBTf
	iiyfDZSE5RJDSuth5jxDTm+AeuHf9w1bnqZuDZkDZUcBW0ewhgz9iA6Ihor1TwvG3DoDjLMChik
	Si6OLDjVmA7U3RsHJ1nEHPi6lpjhXXzlSF6TlbgDPp7BVRajK+SjHyL1uSzGmRVj6kquHdFFb+o
	xcJPUZm4EEqEA8fCAUjqcAUr99yQJ2zJz9kn5VNqQyb8JUnMnMxyxLlJ8nzXlkrwDX+gdBi5mho
	n5ioh/h0yA0HvF3YdSgPBElMp9jwASGFbDDSnPIMzv04i3pOILYDIfqdY45oPUkPy7pc8lfaLKd
	bGnVPabK2I4aDfhzkJHrxTbhhFGIwiYQRgisV9WW5W18Q4Xhv35WdEFzZmThwiOvcjdCcJunK55
	uCvCuwY15jAXTHjg==
X-Google-Smtp-Source: 
 AGHT+IECr+xHGCJm1bYjptHX8B0eWO+Sonnib11ZlWXBwiBKhyDtpOvxr42nEtsoMAStj0IFq5RGHg==
X-Received: by 2002:a17:90b:4b07:b0:330:7a32:3290 with SMTP id
 98e67ed59e1d1-34027c0f25fmr3605270a91.37.1761651184349;
        Tue, 28 Oct 2025 04:33:04 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-33fed81c9e5sm11819686a91.17.2025.10.28.04.33.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 04:33:04 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 3/7] hdf5: patch CVE-2025-2915
Date: Wed, 29 Oct 2025 00:32:43 +1300
Message-ID: <20251028113247.1761834-4-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
References: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 28 Oct 2025 11:33:07 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121081

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/CVE-2025-2915.patch            | 50 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch
new file mode 100644
index 0000000000..83eb8ff504
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch
@@ -0,0 +1,50 @@
+From 2bab8a1ffae567d35effa777dda82d423a80bccd Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Mon, 20 Oct 2025 07:47:28 -0500
+Subject: [PATCH] Fix CVE-2025-2915 (#5746)
+
+This PR fixes issue #5380, which has a heap based buffer overflow after H5MF_xfree is called on an address of 0 (file superblock). This PR changes an assert making sure addr isn't 0 to an if check.
+
+The bug was first reproduced using the fuzzer and the POC file from #5380. With this change, the heap based buffer overflow no longer occurs.
+
+CVE: CVE-2025-2915
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/26a76bafdef3a0950d348a08667de161a19b7c2c]
+(cherry picked from commit 26a76bafdef3a0950d348a08667de161a19b7c2c)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Faccum.c       | 3 +++
+ src/H5Ocache_image.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/H5Faccum.c b/src/H5Faccum.c
+index 9c4c8cdbbd..145abd1cbd 100644
+--- a/src/H5Faccum.c
++++ b/src/H5Faccum.c
+@@ -879,6 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr
+ 
+                 /* Calculate the size of the overlap with the accumulator, etc. */
+                 H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t);
++                /* Sanity check */
++                /* Overlap size should not result in "negative" value after subtraction */
++                assert(overlap_size < accum->size);
+                 new_accum_size = accum->size - overlap_size;
+ 
+                 /* Move the accumulator buffer information to eliminate the freed block */
+diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c
+index d91b46341c..c0ab004ec7 100644
+--- a/src/H5Ocache_image.c
++++ b/src/H5Ocache_image.c
+@@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_DECODE_LENGTH(f, p, mesg->size);
+ 
++    if (mesg->addr >= (HADDR_UNDEF - mesg->size))
++        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows");
++    if (mesg->addr == HADDR_UNDEF)
++        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined");
++    if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_SUPER))
++        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa");
++
+     /* Set return value */
+     ret_value = (void *)mesg;
+ 
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 875510b0e2..59506526fb 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
     file://0001-cmake-remove-build-flags.patch \
     file://CVE-2025-2913.patch \
     file://CVE-2025-2914.patch \
+    file://CVE-2025-2915.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
 

From patchwork Tue Oct 28 11:32:44 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 73172
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F2C4BCCF9F3
	for <webhook@archiver.kernel.org>; Tue, 28 Oct 2025 11:33:07 +0000 (UTC)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
 by mx.groups.io with SMTP id smtpd.web10.9101.1761651187316561682
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:07 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=GYWurvHa;
 spf=pass (domain: gmail.com, ip: 209.85.216.45,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-340299fe579so976765a91.2
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761651186; x=1762255986;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=hKggt3l9Z7VrEqNMciagynohVPit+PV/PU4sbfCz6OI=;
        b=GYWurvHaAo2cx102aXXZme6MSEZRbqvtMYNtaXttFu6UVgcdZ1bjRdzzZ+TouHwikq
         BWmPG2flZjlVFx19rAl9kBOGO1JLxfjAIv2bNZUswxCpsAh9Ab/+CDi3ZCSHAjTKZKBm
         +59hydtc0BmoumejLdyFJKqqRvtJi4e4r5u9YBocmf5/n8O+h/eLmpQqUdEhCS4jCAql
         tZNMN4Eeoi/C13zyYSLdM/L1Zk2f7ouRhQLf1amGaleh7rNafLckA/FnJp66SzWY4+zn
         iXQbObIXORhbl/IRF/0ZyejGU2TdBGQx0zszPqC41iAWMbaX8F9ZFGaJ8t7gETu4LNeK
         o7Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761651186; x=1762255986;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=hKggt3l9Z7VrEqNMciagynohVPit+PV/PU4sbfCz6OI=;
        b=On4UQ7iM5RoT/9Y7frZnc23x1+T7vnx25JhQzK81MYrrnsUXJ9oGklpmPa7Pl8loY5
         VuBj8JXYE7Dnj5tOvAX1CCofuaokobgAv2l3ukBKNcM/pjXdhWpSK8vhMS1TeZfmas6K
         ymSSfACKPLfR5ptdU8TI5NEICi09w8In9yajEIX/u3ct8qrXIK3EnH5pRfrRr3/5hCmr
         WdUmsYOgiK2tqiupW0bdO7+EMtlyIBoKOJMxcK3Ho2nCTRzcbn7MW26y3f8V9vwxoaLK
         e12vPeOWjzGWuFc1EAmhZN2MKjozxdv0+ygzvyZuw8rO5SjBz1Bt1Q/+mPvmqsZqYwyh
         9rTg==
X-Gm-Message-State: AOJu0Yybui7Gj+c3cw3K2zKsuY5WIAhp7Q9Q6jqqi5nALatlUuUDBl5P
	kq7ZnpAB4xgQEqjJ8oKlzAxPKDAG64Wvq3k4s+ErFzY0t/cIj2p3mUdFG0WFpA==
X-Gm-Gg: ASbGnctuaM9YehWbKCeWThzkXAQ5rUHrWoDH8SAT8ryemNZ1wHM38YF8eVURCBf7xpn
	20B8xHRstmzUnlcX7sIqNJ0uX693UMOqv0pUsP2xzyXFtO6RBoSOYG81eWmlsfEICSwvZOJW7Ai
	R3LC+5lVh6pJ6zxUnuEp3vcRowE5s0i+HtGSAsmWmCJTNElWIhSgpdTxUp+htPuA2P0VtQPQKCw
	t498duszvFtJQm68ghNo2XgpaXwBFN73S2CzIpShryEAhM4pz0w0rhvi1FNu6iSod6obdfnudK/
	ouJNSeXKMON+iDd2WsMmSiw3QRFIM/hN0QglIcQxzBh2WKxNcO8GgdggMuB7+DwtcWwNuvtk9z2
	VUVWRr2Cg8UZ0dGiC2vQNu4gIkjRtjHO8AvyWZRCEOdjyEvwiCjwtw24clGOH5sgPTYwaSsPvmz
	QwKp7L08sKtGVjMQ==
X-Google-Smtp-Source: 
 AGHT+IGiObeHIDELSaPhcPSb+eiMRXwUtsS+/HFavI0JtQXJ+QLM8n0sFAnihbF0KuK2ZfMbqksemA==
X-Received: by 2002:a17:90b:4f48:b0:32e:d599:1f66 with SMTP id
 98e67ed59e1d1-34027aa6fcdmr3427579a91.30.1761651186562;
        Tue, 28 Oct 2025 04:33:06 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-33fed81c9e5sm11819686a91.17.2025.10.28.04.33.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 04:33:06 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 4/7] hdf5: patch CVE-2025-2923,
 CVE-2025-6816, CVE-2025-6856
Date: Wed, 29 Oct 2025 00:32:44 +1300
Message-ID: <20251028113247.1761834-5-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
References: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 28 Oct 2025 11:33:07 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121082

Single PR[1] addressed all three vulnerabilities

Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-2923
https://nvd.nist.gov/vuln/detail/CVE-2025-6816
https://nvd.nist.gov/vuln/detail/CVE-2025-6856

[1] https://github.com/HDFGroup/hdf5/pull/5829

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 ...025-2923-CVE-2025-6816-CVE-2025-6856.patch | 65 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch
new file mode 100644
index 0000000000..47dc6b1ac7
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch
@@ -0,0 +1,65 @@
+From 951ebdce0098dac1042d5e9650e655c6c1f92904 Mon Sep 17 00:00:00 2001
+From: jhendersonHDF <jhenderson@hdfgroup.org>
+Date: Fri, 26 Sep 2025 13:13:10 -0500
+Subject: [PATCH] Fix issue with handling of corrupted object header continuation messages (#5829)
+
+An HDF5 file could be specifically constructed such that an object
+header contained a corrupted continuation message which pointed
+back to itself. This eventually resulted in an internal buffer being
+allocated with too small of a size, leading to a heap buffer overflow
+when encoding an object header message into it. This has been fixed
+by checking the expected number of deserialized object header chunks
+against the actual value as chunks are being deserialized.
+
+Fixes CVE-2025-6816, CVE-2025-6856, CVE-2025-2923
+
+CVE: CVE-2025-2923, CVE-2025-6816, CVE-2025-6856
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675]
+
+(cherry picked from commit 29c847a43db0cdc85b01cafa5a7613ea73932675)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Oint.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/H5Oint.c b/src/H5Oint.c
+index 022ee43..a5e0072 100644
+--- a/src/H5Oint.c
++++ b/src/H5Oint.c
+@@ -1013,10 +1013,9 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks)
+          */
+         curr_msg = 0;
+         while (curr_msg < cont_msg_info.nmsgs) {
+-            H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */
+-#ifndef NDEBUG
+-            size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */
+-#endif                                   /* NDEBUG */
++            H5O_chunk_proxy_t *chk_proxy;            /* Proxy for chunk, to bring it into memory */
++            unsigned           chunkno;              /* Chunk number for chunk proxy */
++            size_t             chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */
+ 
+             /* Bring the chunk into the cache */
+             /* (which adds to the object header) */
+@@ -1029,14 +1028,20 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks)
+ 
+             /* Sanity check */
+             assert(chk_proxy->oh == oh);
+-            assert(chk_proxy->chunkno == chkcnt);
+-            assert(oh->nchunks == (chkcnt + 1));
++
++            chunkno = chk_proxy->chunkno;
+ 
+             /* Release the chunk from the cache */
+             if (H5AC_unprotect(loc->file, H5AC_OHDR_CHK, cont_msg_info.msgs[curr_msg].addr, chk_proxy,
+                                H5AC__NO_FLAGS_SET) < 0)
+                 HGOTO_ERROR(H5E_OHDR, H5E_CANTUNPROTECT, NULL, "unable to release object header chunk");
+ 
++            if (chunkno != chkcnt)
++                HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "incorrect chunk number for object header chunk");
++            if (oh->nchunks != (chkcnt + 1))
++                HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL,
++                            "incorrect number of chunks after deserializing object header chunk");
++
+             /* Advance to next continuation message */
+             curr_msg++;
+         } /* end while */
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 59506526fb..ca963fdc8f 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
     file://CVE-2025-2913.patch \
     file://CVE-2025-2914.patch \
     file://CVE-2025-2915.patch \
+    file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
 

From patchwork Tue Oct 28 11:32:45 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 73176
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E824CCCF9E0
	for <webhook@archiver.kernel.org>; Tue, 28 Oct 2025 11:33:17 +0000 (UTC)
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com
 [209.85.216.52])
 by mx.groups.io with SMTP id smtpd.web10.9102.1761651189942191388
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:10 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=DOY+bma4;
 spf=pass (domain: gmail.com, ip: 209.85.216.52,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pj1-f52.google.com with SMTP id
 98e67ed59e1d1-33bbc4e81dfso6251066a91.1
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761651189; x=1762255989;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=OzuPBWp0imlFZrzX8iqVMM0Ddn0cz3+WseTpTsn7U7U=;
        b=DOY+bma4CDs2kVKKWBD+7grrB+D4faKz03to4lOUUTGSE+RJst8mds1UPXs0Wpp+xs
         GDS6AAoBdOyYHcNGEf6zum4/x1UVSaOQmpsuGwMV3odoxGSLD/vMSRGL0RXRLNz7jmOg
         TaSzywn3Iao8411pIuMqZOZlLy6n0QT2Q7K9KbhKNAilxwbfvNUiCnyqlqggDbLkCUgM
         C84P45XeJDhSHFjpv5ocPVB1sKGN49je52pyChb7tspP5O8dBj1lrhSehsw3LRqXh5qW
         z/lGtrUmx0OQ9eLbtmQbxiJwYN1okA6VWULlk2A7Ks+kPuL2sDf9rfuzpcqJ9bMyzw0C
         xn1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761651189; x=1762255989;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=OzuPBWp0imlFZrzX8iqVMM0Ddn0cz3+WseTpTsn7U7U=;
        b=G63IrhAgjWpYzKl28v6aVPCVff4gchew37u5qhSSox7fD6kiDdm4b+HUmYOjXgJ1uo
         udw6aHa8QbvTfMzSq915zJtMM5BnNSVBBUcNaFvzXXnM9/ONNEBIuq43FcofJALXKnA7
         rTZTbxJlownbnqAjvbd8Ma6YJ2JDf4LTdBMWGjTrHZ2V7VW1Yaeo8bkMQuwddYnqDOmh
         R79rwIS7gi5XAfmw0X4DpYd81uNaoJGf9gfGnhiaEg8c507EBYOZemHNoJQQFxFSsw66
         2Jge28GdhXEjjyfaZDcsuFh94OzsGTjgd0AK2/go3wG8M0bM27he3/VWCZJqTpJvybfR
         hM7A==
X-Gm-Message-State: AOJu0YwXqbQOITtWgYBbvxaffUXTxLpINjjw44ac9q8IjGNFk8N2/kr2
	yT9vt2SW7cnNeCWHJntWB40xMKrsRL/1b1SMb9Xz6Z+4OqNYTiJJ0LhMetqbVA==
X-Gm-Gg: ASbGncvFwkGsRVM2QWLzUIiVzbnkBsicESkVW4mXGnn2Elg70vJpxvsFQg67CWzpbXG
	wfcBO9/RDTrbTexE5a0ACA1fw6asjYSXRy6ODNJEzkpoQEpmqy9PONNMH4vueUWLUdMWIWLlrHj
	BCFdEpcHVXmZMVTxlgdUem8KWWkZu4IH2qlkiuTBnm/2jai//Rz0QQD0hno4IdFO5p8GWegSYC4
	YVJptYlKbMveN2jaYyskrH0vQq+7P23YYh6loUuBL8XgnJsTrb94WnCrzX5Na2mWuNLPOv+VKDl
	CXe/1ltQ3ZF/V4dVOtkbJpecknI/SDrq2iTHIo7uVY/YgqR1NE1t+DC6LOkv9jWn17e8wJ5A9yG
	QzBTzY3OCIquXomZ7HUT5DVLQy/KsNDdU9CnyrORSX0WKQJxFdUqLgWbGLQY/eiHSr6qdE0gVpO
	7eyvg74uHrqZ+HEw==
X-Google-Smtp-Source: 
 AGHT+IH0d3lycaKTvrVT02Rj05bmQAz7R3lnGcsYTOnQ2/TnIgYnY1hKNVz+ItiEKgaReIwX1EVOzw==
X-Received: by 2002:a17:90b:3fcc:b0:33b:c9b6:1cd with SMTP id
 98e67ed59e1d1-34027bc6fe8mr3642118a91.19.1761651188877;
        Tue, 28 Oct 2025 04:33:08 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-33fed81c9e5sm11819686a91.17.2025.10.28.04.33.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 04:33:08 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 5/7] hdf5: patch CVE-2025-2924
Date: Wed, 29 Oct 2025 00:32:45 +1300
Message-ID: <20251028113247.1761834-6-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
References: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 28 Oct 2025 11:33:17 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121083

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2924

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/CVE-2025-2924.patch            | 37 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2924.patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2924.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2924.patch
new file mode 100644
index 0000000000..1a9185dd66
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2924.patch
@@ -0,0 +1,37 @@
+From 3a6f6c1f57c09281d4a9d11a1ae809fd21b666dd Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Mon, 15 Sep 2025 07:56:54 -0500
+Subject: [PATCH] Fixes heap-based buffer overflow in H5HL__fl_deserialize by adding an overflow check.
+
+CVE: CVE-2025-2924
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/0a57195ca67d278f1cf7d01566c121048e337a59]
+
+(cherry picked from commit 0a57195ca67d278f1cf7d01566c121048e337a59)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5HLcache.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index d0836fe..7f412d2 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -225,6 +225,7 @@ H5HL__fl_deserialize(H5HL_t *heap)
+     /* check arguments */
+     assert(heap);
+     assert(!heap->freelist);
++    HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
+ 
+     /* Build free list */
+     free_block = heap->free_block;
+@@ -232,6 +233,10 @@ H5HL__fl_deserialize(H5HL_t *heap)
+         const uint8_t *image; /* Pointer into image buffer */
+ 
+         /* Sanity check */
++
++        if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
++            HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
++
+         if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
+             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
+ 
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index ca963fdc8f..6bc56f22cc 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -19,6 +19,7 @@ SRC_URI = " \
     file://CVE-2025-2914.patch \
     file://CVE-2025-2915.patch \
     file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \
+    file://CVE-2025-2924.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
 

From patchwork Tue Oct 28 11:32:46 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 73175
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E8286CCF9EE
	for <webhook@archiver.kernel.org>; Tue, 28 Oct 2025 11:33:17 +0000 (UTC)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
 by mx.groups.io with SMTP id smtpd.web11.6125.1761651192296104635
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=LqNl1Ep7;
 spf=pass (domain: gmail.com, ip: 209.85.210.173,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-7a26dab3a97so3612868b3a.0
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761651191; x=1762255991;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PksxnEiXXiZQ5s/e234FZiDyjA9S6rhXza6maTdvP9Y=;
        b=LqNl1Ep7KtCpgVvtIOddLXnxaMgQJIpuqvH/vPTCoJGptGF70towemTYX28KP/a+eS
         456/Ewz5o7LlIoaatk6COjZ2u5zc65DvaZ880wgm7r69Tk972gz8tGiw0I9SJxvOkxw2
         kkVxcXlRaQK+oLOl5eqOEjsCx85ITd+J8Ol52qff4CI3xrh7rk7TcCkH2fV4w8HKf1e8
         n+e6UtY2sxalpZ6ihSvESOTRD2dkzr/ZrV6Ft7F8n5LlOUu3nQ6TS0lWf31FIw+LqgPb
         xgIfbZnM2WWdDRwaXlJ7SF9OpMiTu44RUT3Lp/8qU074we9Zjbp2AKSSmgRqdq9+pouX
         xXRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761651191; x=1762255991;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PksxnEiXXiZQ5s/e234FZiDyjA9S6rhXza6maTdvP9Y=;
        b=ZKJ68uinf1KNwr5qeiXIGKtaWWjYdDmKWpFb8dv79Zh9gjzF8Haa2tYPJa9673v56A
         zSv+FT0nrbvAjG3mmmK1iom3PALU1xeb/ECFhjqkkgynsi9JE1zEGktSxRePySrZh8DD
         /WScdU1vik7xkDIBoL4fPw2qaoCecJhHHkkoeqxqI/YYcTpFgpZqY9cCp0f5uSkkUC9x
         /C4GNj+efgb2mKV9MMhLlxjZzrrZVjmkz/4ccSr672G0lmkWAxjVtvnBx4nymH82Vew3
         7MnPzgC/wUBvOo5kCLWlZxcGsNIC1D2bTuNoZCTM5A+5d8ozbbB5cVsJ4yHyOtxbg4wH
         bL2w==
X-Gm-Message-State: AOJu0YxKUwoINLaMVHfLwzCN0orgMznrh+MpX8gCWr7J3qstsjUhHG+M
	BY+8iAM6mCkLHm85Rn3edOSIybZWjTk9YzfCgMK7wYCUrocrYz4IVhVeNf2tuQ==
X-Gm-Gg: ASbGnctUCmvokbFBsccdmO/yqYV0xdNBuqjxXvPjRduK/DsOR1iHcgSyaL6bymx8XPH
	9fmTBGetM04cE3oDUDX+KiwQ8cSPwRzMyqNrO4ed9zDzBOmkzAPqjBw6D828IqySUwVb7JBO7FN
	CswytN1JWeleEttXFcM9yZ/T0MtxFRpCMv/5hMpbaEmknfdTPv86CQiJKG7SDseUK4s4RbPhHlh
	GFLTHP+HoqC1cb7Xes+Mbqtqm3lCDaLTJTeDlt6fH1v8Cg/Q3OheW2/c2HQ7L8K5UYw6DIgSGSi
	0EZp0lvC/pDssX3qxl12kpQALCZKmVbTgtdDVV3qW+ZyJGeLO0TFMJGXj3qzZ/Rtd/de5NXMuDv
	A+gO7xVQC/AEiMbtRaoNE8eAKQHvQZtAJkixlcnVwk1+PqRpl9hOIyQaO1Qf9eZoeqjY38bUwKY
	Ckcie//almNiDfng==
X-Google-Smtp-Source: 
 AGHT+IEtuibhpfLcG5HEwD4BnDXvCHItm11oF93oZf5GynaImEIewU9ANL132AxCHmrsa5zHaRtBuA==
X-Received: by 2002:a05:6a20:5493:b0:324:b245:bb8e with SMTP id
 adf61e73a8af0-344d2973e71mr4036614637.26.1761651191027;
        Tue, 28 Oct 2025 04:33:11 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-33fed81c9e5sm11819686a91.17.2025.10.28.04.33.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 04:33:10 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 6/7] hdf5: patch CVE-2025-2925
Date: Wed, 29 Oct 2025 00:32:46 +1300
Message-ID: <20251028113247.1761834-7-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
References: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 28 Oct 2025 11:33:17 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121084

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2925

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/CVE-2025-2925.patch            | 53 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2925.patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2925.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2925.patch
new file mode 100644
index 0000000000..23bc4e5577
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2925.patch
@@ -0,0 +1,53 @@
+From 57a511958842f50cbf07b05262f2fe95e70c141b Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Thu, 9 Oct 2025 14:48:55 -0500
+Subject: [PATCH] Fix CVE-2025-2925 (#5739)
+
+This PR fixes issue #5383, which was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being 0. When realloc was called, it freed image, but gets sent to done before new_image can be assigned to image. Because the pointer for image isn't null, it attempts to free it here again, causing the double free to occur. This PR addresses Quincey's concern and fixes the issue while preserving new_image and image.
+
+The bug was first reproduced using the fuzzer and the POC file from #5383. With this change, the double free no longer occurs.
+
+CVE: CVE-2025-2925
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc]
+
+(cherry picked from commit 4310c19608455c17a213383d07715efb2918defc)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Centry.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/H5Centry.c b/src/H5Centry.c
+index 6883e89..bef93d8 100644
+--- a/src/H5Centry.c
++++ b/src/H5Centry.c
+@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f,
+          */
+         do {
+             if (actual_len != len) {
++                /* Verify that the length isn't a bad value  */
++                if (len == 0)
++                    HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value");
++
+                 if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE)))
+                     HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                 image = (uint8_t *)new_image;
++
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                 H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif        /* H5C_DO_MEMORY_SANITY_CHECKS */
+@@ -1104,10 +1109,15 @@ H5C__load_entry(H5F_t *f,
+                     if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0)
+                         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA");
+ 
++                    /* Verify that the length isn't 0  */
++                    if (actual_len == 0)
++                        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");
++
+                     /* Expand buffer to new size */
+                     if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE)))
+                         HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                     image = (uint8_t *)new_image;
++
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                     H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif /* H5C_DO_MEMORY_SANITY_CHECKS */
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 6bc56f22cc..2832c7e851 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -20,6 +20,7 @@ SRC_URI = " \
     file://CVE-2025-2915.patch \
     file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \
     file://CVE-2025-2924.patch \
+    file://CVE-2025-2925.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
 

From patchwork Tue Oct 28 11:32:47 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 73177
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 01F71CCD1BF
	for <webhook@archiver.kernel.org>; Tue, 28 Oct 2025 11:33:18 +0000 (UTC)
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
 by mx.groups.io with SMTP id smtpd.web10.9103.1761651194468806646
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:14 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=kEcqX8Fj;
 spf=pass (domain: gmail.com, ip: 209.85.216.44,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-33e27a3b153so5743834a91.3
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 28 Oct 2025 04:33:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761651194; x=1762255994;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PnI0jV8BxEmivHByrf09qjhUCX1d3ttHaYCd0AntpbM=;
        b=kEcqX8FjSMEncm/0WVnKHxKYMTMkRfx+z/NqeRSDcoQ0D7gTKlxBmG5xUHi+3Yz8WX
         xL8k97+W39GzdSOyCKXNmsT+lEuYaPqMiXumz9a3pasNxaYTCFzHoMzrEuQJpSEIgTWf
         eUjsvWoDSpZGFy1rracQVBHQ85VaQgrW5dBAYjyWfWMDz9WjbMpPoN15oyhJD2LdCxJS
         SrR09XraPCe8NkPpC9bRG2V+S/KWrEhUZIdIVJ7yhnCVUmTbJWfNm0jgzIn9GKhLaytx
         4X7uodUIGAVIqRq/o1gHl5BgDNmazWbO8zM1GC7I4FSXkEJ+hiOpI1T2mThvOTAJgfYG
         FF6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761651194; x=1762255994;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PnI0jV8BxEmivHByrf09qjhUCX1d3ttHaYCd0AntpbM=;
        b=GjbNTfaJ2DpU+XN4tQrXsMFwTNrUkc7e0Aog2GnA2+5fxqOpbtdEX2FPvdfiyCe4VT
         UTj51zMCpjVM/7p65rwi2Qsow4mh7Ogc1q6WIG7RthndzUxLGe8Ja4inRahSaTxf6V6n
         cj478/cH6GT598dxtgLGDSOFvQ1X7DomBSxnknQXnYD+hWYMPBMcVytUzlkXvYJeNroh
         XngGpQtFLVcAgEVjb7TfgsaHFWiwb+NgJ0csbbeNDJE/jX90eGoRgMrIyIhMGlWdsqbU
         2aqgTZRA7OUkayJa/6a9JJzAWqg0JicWK17I6j1aoDPX3smXSh54gpAEUXJVPX0rdz2m
         77qg==
X-Gm-Message-State: AOJu0YyQ3eMhHVghFgcb/TqPqfp6RBsAmZWLvlFdE7OlufoR2e1iUINx
	CvRdkdXi7aL4g/1xBhCcVOnt4AEcRHSaJ9ULqgi2PT7acS0t7Gr6FyQYvgEE/Q==
X-Gm-Gg: ASbGncvVlSDzu7J0+qulalLfJj7TmQPN8EgrJ2C7Em51vSBQeLGYBC2kltcLhu33U9f
	YUBv6PJ31PMzuYpcrU0RQOEHfpbbFxbjRdDPrjC/Yh/SHG1VU+I4Xe+5HCYVbuiFYpL8Xep4kSU
	gJNWQerI7H7hQDtH9YtYO9fztDlkppMtXH4+3endc8iXJ7G3yMIjLvsjRIQGFW2dwvWiG+KTmP5
	CnvW0gPe2fjd5gojgYZUHaW2kZc7CkDHZbedktitmVH0EvjX7rENSUty2ene3PD2DTO6Y9py2ZT
	PBBTLlAq+ZIxyG5+N/ew/LIyOIFFZJB+APA1SMZl72Dj4GnlmcCAESCOGSaVXDdLzVb90NRVEG6
	iJrEa3GU+fLnNZ855Ap++UxmKVJLkUMEDFNZhcszqu4lYQYV2YEaAGHhYgLiiytdNUD8sVhsHZf
	oCpQW7MSc0hmrvnQ==
X-Google-Smtp-Source: 
 AGHT+IF31NlS7k65tRgzjfwbvIWnehtwVhlWQffiInf9H4CZj6r6ye5JcAs01gY6NzmnrdXbQ49pGw==
X-Received: by 2002:a17:90b:3ec3:b0:33b:c995:5d92 with SMTP id
 98e67ed59e1d1-34027bde36cmr3862189a91.32.1761651193442;
        Tue, 28 Oct 2025 04:33:13 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([147.161.216.252])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-33fed81c9e5sm11819686a91.17.2025.10.28.04.33.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 04:33:13 -0700 (PDT)
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 7/7] hdf5: patch CVE-2025-6269,
 CVE-2025-6270, CVE-2025-6516
Date: Wed, 29 Oct 2025 00:32:47 +1300
Message-ID: <20251028113247.1761834-8-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
References: <20251028113247.1761834-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 28 Oct 2025 11:33:18 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121085

As mentioned in the issues [1],[2] and [3], PR[4] addressed several vulnerabilities.

[1] https://github.com/HDFGroup/hdf5/issues/5581#issuecomment-3251977160
[2] https://github.com/HDFGroup/hdf5/issues/5579#issuecomment-2993915196
[3] https://github.com/HDFGroup/hdf5/issues/5580#issuecomment-2993727142
[4] https://github.com/HDFGroup/hdf5/pull/5756

Details:
 https://nvd.nist.gov/vuln/detail/CVE-2025-6269
 https://nvd.nist.gov/vuln/detail/CVE-2025-6270
 https://nvd.nist.gov/vuln/detail/CVE-2025-6516

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 ...-6269-CVE-2025-6270-CVE-2025-6516_01.patch |  65 +++++
 ...-6269-CVE-2025-6270-CVE-2025-6516_02.patch | 252 ++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |   2 +
 3 files changed, 319 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch
new file mode 100644
index 0000000000..c09ade1c4c
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch
@@ -0,0 +1,65 @@
+From ac57aaf0186ba175947d370496934fd399fbc225 Mon Sep 17 00:00:00 2001
+From: aled-ua <bugbuster.cc@gmail.com>
+Date: Wed, 15 Jan 2025 15:02:25 -0600
+Subject: [PATCH] Fix vuln OSV-2023-77 (#5210)
+
+CVE: CVE-2025-6269, CVE-2025-6270, CVE-2025-6516
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/7f27ba8c3a8483c3d7e5e2cb21fefb2c7563422d]
+(cherry picked from commit 7f27ba8c3a8483c3d7e5e2cb21fefb2c7563422d)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Cimage.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/H5Cimage.c b/src/H5Cimage.c
+index ec1af787d5..72dc52dafb 100644
+--- a/src/H5Cimage.c
++++ b/src/H5Cimage.c
+@@ -118,7 +118,8 @@ do {                                                       \
+ /* Helper routines */
+ static size_t H5C__cache_image_block_entry_header_size(const H5F_t *f);
+ static size_t H5C__cache_image_block_header_size(const H5F_t *f);
+-static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf);
++static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf,
++                                             size_t buf_size);
+ #ifndef NDEBUG /* only used in assertions */
+ static herr_t H5C__decode_cache_image_entry(const H5F_t *f, const H5C_t *cache_ptr, const uint8_t **buf,
+                                             unsigned entry_num);
+@@ -299,7 +300,7 @@ H5C__construct_cache_image_buffer(H5F_t *f, H5C_t *cache_ptr)
+         /* needed for sanity checks */
+         fake_cache_ptr->image_len = cache_ptr->image_len;
+         q                         = (const uint8_t *)cache_ptr->image_buffer;
+-        status                    = H5C__decode_cache_image_header(f, fake_cache_ptr, &q);
++        status = H5C__decode_cache_image_header(f, fake_cache_ptr, &q, cache_ptr->image_len + 1);
+         assert(status >= 0);
+ 
+         assert(NULL != p);
+@@ -1269,7 +1270,7 @@ H5C__cache_image_block_header_size(const H5F_t *f)
+  *-------------------------------------------------------------------------
+  */
+ static herr_t
+-H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf)
++H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf, size_t buf_size)
+ {
+     uint8_t        version;
+     uint8_t        flags;
+@@ -1289,6 +1290,10 @@ H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t *
+     /* Point to buffer to decode */
+     p = *buf;
+ 
++    /* Ensure buffer has enough data for signature comparison */
++    if (H5_IS_BUFFER_OVERFLOW(p, H5C__MDCI_BLOCK_SIGNATURE_LEN, *buf + buf_size - 1))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, FAIL, "Insufficient buffer size for signature");
++
+     /* Check signature */
+     if (memcmp(p, H5C__MDCI_BLOCK_SIGNATURE, (size_t)H5C__MDCI_BLOCK_SIGNATURE_LEN) != 0)
+         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "Bad metadata cache image header signature");
+@@ -2388,7 +2393,7 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr)
+ 
+     /* Decode metadata cache image header */
+     p = (uint8_t *)cache_ptr->image_buffer;
+-    if (H5C__decode_cache_image_header(f, cache_ptr, &p) < 0)
++    if (H5C__decode_cache_image_header(f, cache_ptr, &p, cache_ptr->image_len + 1) < 0)
+         HGOTO_ERROR(H5E_CACHE, H5E_CANTDECODE, FAIL, "cache image header decode failed");
+     assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < cache_ptr->image_len);
+ 
diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch
new file mode 100644
index 0000000000..f7324f58c1
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch
@@ -0,0 +1,252 @@
+From 89e3e43aa0f64a3bbd253bef658846d9ff030bdd Mon Sep 17 00:00:00 2001
+From: bmribler <39579120+bmribler@users.noreply.github.com>
+Date: Thu, 25 Sep 2025 22:17:14 -0400
+Subject: [PATCH] Fixed CVE-2025-6269 (#5850)
+
+The GitHub issue #5579 included several security vulnerabilities in function
+H5C__reconstruct_cache_entry().
+
+This PR addressed them by:
+- adding buffer size argument to the function
+- adding buffer overflow checks
+- adding input validations
+- releasing allocated resource on failure
+
+These changes addressed the crashes reported.  However, there is a skiplist
+crash during the unwinding process that has to be investigated.
+
+CVE: CVE-2025-6269, CVE-2025-6270, CVE-2025-6516
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/3914bb7f7ec7105d8bfbeb3aebd92e867cff5b70]
+(cherry picked from commit 3914bb7f7ec7105d8bfbeb3aebd92e867cff5b70)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Cimage.c | 84 ++++++++++++++++++++++++++++++++++++++------------
+ src/H5Ocont.c  |  5 +--
+ 2 files changed, 68 insertions(+), 21 deletions(-)
+
+diff --git a/src/H5Cimage.c b/src/H5Cimage.c
+index 72dc52dafb..b97be228ed 100644
+--- a/src/H5Cimage.c
++++ b/src/H5Cimage.c
+@@ -132,7 +132,8 @@ static void   H5C__prep_for_file_close__compute_fd_heights_real(H5C_cache_entry_
+ static herr_t H5C__prep_for_file_close__setup_image_entries_array(H5C_t *cache_ptr);
+ static herr_t H5C__prep_for_file_close__scan_entries(const H5F_t *f, H5C_t *cache_ptr);
+ static herr_t H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr);
+-static H5C_cache_entry_t *H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf);
++static H5C_cache_entry_t *H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, hsize_t *buf_size,
++                                                       const uint8_t **buf);
+ static herr_t             H5C__write_cache_image_superblock_msg(H5F_t *f, bool create);
+ static herr_t             H5C__read_cache_image(H5F_t *f, H5C_t *cache_ptr);
+ static herr_t             H5C__write_cache_image(H5F_t *f, const H5C_t *cache_ptr);
+@@ -2377,6 +2378,7 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr)
+ {
+     H5C_cache_entry_t *pf_entry_ptr;        /* Pointer to prefetched entry */
+     H5C_cache_entry_t *parent_ptr;          /* Pointer to parent of prefetched entry */
++    hsize_t            image_len;           /* Image length */
+     const uint8_t     *p;                   /* Pointer into image buffer */
+     unsigned           u, v;                /* Local index variable */
+     herr_t             ret_value = SUCCEED; /* Return value */
+@@ -2392,10 +2394,11 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr)
+     assert(cache_ptr->image_len > 0);
+ 
+     /* Decode metadata cache image header */
+-    p = (uint8_t *)cache_ptr->image_buffer;
+-    if (H5C__decode_cache_image_header(f, cache_ptr, &p, cache_ptr->image_len + 1) < 0)
++    p         = (uint8_t *)cache_ptr->image_buffer;
++    image_len = cache_ptr->image_len;
++    if (H5C__decode_cache_image_header(f, cache_ptr, &p, image_len + 1) < 0)
+         HGOTO_ERROR(H5E_CACHE, H5E_CANTDECODE, FAIL, "cache image header decode failed");
+-    assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < cache_ptr->image_len);
++    assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < image_len);
+ 
+     /* The image_data_len and # of entries should be defined now */
+     assert(cache_ptr->image_data_len > 0);
+@@ -2407,7 +2410,7 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr)
+         /* Create the prefetched entry described by the ith
+          * entry in cache_ptr->image_entrise.
+          */
+-        if (NULL == (pf_entry_ptr = H5C__reconstruct_cache_entry(f, cache_ptr, &p)))
++        if (NULL == (pf_entry_ptr = H5C__reconstruct_cache_entry(f, cache_ptr, &image_len, &p)))
+             HGOTO_ERROR(H5E_CACHE, H5E_SYSTEM, FAIL, "reconstruction of cache entry failed");
+ 
+         /* Note that we make no checks on available cache space before
+@@ -2563,19 +2566,21 @@ done:
+  *-------------------------------------------------------------------------
+  */
+ static H5C_cache_entry_t *
+-H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf)
++H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, hsize_t *buf_size, const uint8_t **buf)
+ {
+     H5C_cache_entry_t *pf_entry_ptr = NULL; /* Reconstructed cache entry */
+     uint8_t            flags        = 0;
+     bool               is_dirty     = false;
++    haddr_t            eoa;
++    bool               is_fd_parent = false;
+ #ifndef NDEBUG /* only used in assertions */
+-    bool in_lru       = false;
+-    bool is_fd_parent = false;
+-    bool is_fd_child  = false;
++    bool in_lru      = false;
++    bool is_fd_child = false;
+ #endif
+-    const uint8_t     *p;
+     bool               file_is_rw;
+-    H5C_cache_entry_t *ret_value = NULL; /* Return value */
++    const uint8_t     *p;
++    const uint8_t     *p_end     = *buf + *buf_size - 1; /* Pointer to last valid byte in buffer */
++    H5C_cache_entry_t *ret_value = NULL;                 /* Return value */
+ 
+     FUNC_ENTER_PACKAGE
+ 
+@@ -2595,9 +2600,15 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b
+     p = *buf;
+ 
+     /* Decode type id */
++    if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     pf_entry_ptr->prefetch_type_id = *p++;
++    if (pf_entry_ptr->prefetch_type_id < H5AC_BT_ID || pf_entry_ptr->prefetch_type_id >= H5AC_NTYPES)
++        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "type id is out of valid range");
+ 
+     /* Decode flags */
++    if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     flags = *p++;
+     if (flags & H5C__MDCI_ENTRY_DIRTY_FLAG)
+         is_dirty = true;
+@@ -2625,19 +2636,31 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b
+     pf_entry_ptr->is_dirty = (is_dirty && file_is_rw);
+ 
+     /* Decode ring */
++    if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     pf_entry_ptr->ring = *p++;
+-    assert(pf_entry_ptr->ring > (uint8_t)(H5C_RING_UNDEFINED));
+-    assert(pf_entry_ptr->ring < (uint8_t)(H5C_RING_NTYPES));
++    if (pf_entry_ptr->ring >= (uint8_t)(H5C_RING_NTYPES))
++        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "ring is out of valid range");
+ 
+     /* Decode age */
++    if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     pf_entry_ptr->age = *p++;
++    if (pf_entry_ptr->age > H5AC__CACHE_IMAGE__ENTRY_AGEOUT__MAX)
++        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "entry age is out of policy range");
+ 
+     /* Decode dependency child count */
++    if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, pf_entry_ptr->fd_child_count);
+-    assert((is_fd_parent && pf_entry_ptr->fd_child_count > 0) ||
+-           (!is_fd_parent && pf_entry_ptr->fd_child_count == 0));
++    if (is_fd_parent && pf_entry_ptr->fd_child_count <= 0)
++        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "parent entry has no children");
++    else if (!is_fd_parent && pf_entry_ptr->fd_child_count != 0)
++        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "non-parent entry has children");
+ 
+     /* Decode dirty dependency child count */
++    if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, pf_entry_ptr->fd_dirty_child_count);
+     if (!file_is_rw)
+         pf_entry_ptr->fd_dirty_child_count = 0;
+@@ -2645,20 +2668,32 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b
+         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid dirty flush dependency child count");
+ 
+     /* Decode dependency parent count */
++    if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, pf_entry_ptr->fd_parent_count);
+     assert((is_fd_child && pf_entry_ptr->fd_parent_count > 0) ||
+            (!is_fd_child && pf_entry_ptr->fd_parent_count == 0));
+ 
+     /* Decode index in LRU */
++    if (H5_IS_BUFFER_OVERFLOW(p, 4, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     INT32DECODE(p, pf_entry_ptr->lru_rank);
+     assert((in_lru && pf_entry_ptr->lru_rank >= 0) || (!in_lru && pf_entry_ptr->lru_rank == -1));
+ 
+     /* Decode entry offset */
++    if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_ADDR(f), p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_addr_decode(f, &p, &pf_entry_ptr->addr);
+-    if (!H5_addr_defined(pf_entry_ptr->addr))
+-        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid entry offset");
++
++    /* Validate address range */
++    eoa = H5F_get_eoa(f, H5FD_MEM_DEFAULT);
++    if (!H5_addr_defined(pf_entry_ptr->addr) || H5_addr_overflow(pf_entry_ptr->addr, pf_entry_ptr->size) ||
++        H5_addr_ge(pf_entry_ptr->addr + pf_entry_ptr->size, eoa))
++        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid entry address range");
+ 
+     /* Decode entry length */
++    if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_SIZE(f), p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_DECODE_LENGTH(f, p, pf_entry_ptr->size);
+     if (pf_entry_ptr->size == 0)
+         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid entry size");
+@@ -2679,6 +2714,9 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b
+                         "memory allocation failed for fd parent addrs buffer");
+ 
+         for (u = 0; u < pf_entry_ptr->fd_parent_count; u++) {
++
++            if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_ADDR(f), p_end))
++                HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+             H5F_addr_decode(f, &p, &(pf_entry_ptr->fd_parent_addrs[u]));
+             if (!H5_addr_defined(pf_entry_ptr->fd_parent_addrs[u]))
+                 HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid flush dependency parent offset");
+@@ -2694,6 +2732,8 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b
+ #endif /* H5C_DO_MEMORY_SANITY_CHECKS */
+ 
+     /* Copy the entry image from the cache image block */
++    if (H5_IS_BUFFER_OVERFLOW(p, pf_entry_ptr->size, p_end))
++        HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5MM_memcpy(pf_entry_ptr->image_ptr, p, pf_entry_ptr->size);
+     p += pf_entry_ptr->size;
+ 
+@@ -2708,14 +2748,20 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b
+     /* Sanity checks */
+     assert(pf_entry_ptr->size > 0 && pf_entry_ptr->size < H5C_MAX_ENTRY_SIZE);
+ 
+-    /* Update buffer pointer */
++    /* Update buffer pointer and buffer len */
++    *buf_size -= (hsize_t)(p - *buf);
+     *buf = p;
+ 
+     ret_value = pf_entry_ptr;
+ 
+ done:
+-    if (NULL == ret_value && pf_entry_ptr)
++    if (NULL == ret_value && pf_entry_ptr) {
++        if (pf_entry_ptr->image_ptr)
++            H5MM_xfree(pf_entry_ptr->image_ptr);
++        if (pf_entry_ptr->fd_parent_count > 0 && pf_entry_ptr->fd_parent_addrs)
++            H5MM_xfree(pf_entry_ptr->fd_parent_addrs);
+         pf_entry_ptr = H5FL_FREE(H5C_cache_entry_t, pf_entry_ptr);
++    }
+ 
+     FUNC_LEAVE_NOAPI(ret_value)
+ } /* H5C__reconstruct_cache_entry() */
+diff --git a/src/H5Ocont.c b/src/H5Ocont.c
+index c03f4dd1e9..4b1840448a 100644
+--- a/src/H5Ocont.c
++++ b/src/H5Ocont.c
+@@ -93,6 +93,9 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
+         HGOTO_ERROR(H5E_OHDR, H5E_NOSPACE, NULL, "memory allocation failed");
+ 
+     /* Decode */
++
++    cont->chunkno = 0;
++
+     if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_addr(f), p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_addr_decode(f, &p, &(cont->addr));
+@@ -103,8 +106,6 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
+     if (cont->size == 0)
+         HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid continuation chunk size (0)");
+ 
+-    cont->chunkno = 0;
+-
+     /* Set return value */
+     ret_value = cont;
+ 
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 2832c7e851..80828ad30c 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -21,6 +21,8 @@ SRC_URI = " \
     file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \
     file://CVE-2025-2924.patch \
     file://CVE-2025-2925.patch \
+    file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch \
+    file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"