Adds a release note for PR #2210 (CVE-2019-8396) (#2247)

* Adds a release note for PR #2210 (CVE-2019-8396) * Capitalization issue fixed
author: Dana Robinson <43805+derobins@users.noreply.github.com> 2022-11-10 01:03:55 (GMT)
committer: GitHub <noreply@github.com> 2022-11-10 01:03:55 (GMT)
commit: a8942c7413e939344b1244f041b72def191718f2 (patch)
tree: 4521a16667e138eadaa37c0d5be67779e5b2d9a7
parent: d93c6fae4313c497ca1383d1aef24203a29b5087 (diff)
download: hdf5-a8942c7413e939344b1244f041b72def191718f2.zip
hdf5-a8942c7413e939344b1244f041b72def191718f2.tar.gz
hdf5-a8942c7413e939344b1244f041b72def191718f2.tar.bz2
1 files changed, 11 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 47c9730..1b6999d 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -89,6 +89,17 @@ New Features
 
     Library:
     --------
+    - Fix for CVE-2019-8396
+
+      Malformed HDF5 files may have truncated content which does not match
+      the expected size. When H5O__pline_decode() attempts to decode these it
+      may read past the end of the allocated space leading to heap overflows
+      as bounds checking is incomplete.
+
+      The fix ensures each element is within bounds before reading.
+
+      (2022/11/09 - HDFFV-10712, CVE-2019-8396, GitHub #2209)
+
     - Removal of memory allocation sanity checks feature
 
       This feature added heap canaries and statistics tracking for internal
author	Dana Robinson <43805+derobins@users.noreply.github.com>	2022-11-10 01:03:55 (GMT)
committer	GitHub <noreply@github.com>	2022-11-10 01:03:55 (GMT)
commit	a8942c7413e939344b1244f041b72def191718f2 (patch)
tree	4521a16667e138eadaa37c0d5be67779e5b2d9a7
parent	d93c6fae4313c497ca1383d1aef24203a29b5087 (diff)
download	hdf5-a8942c7413e939344b1244f041b72def191718f2.zip hdf5-a8942c7413e939344b1244f041b72def191718f2.tar.gz hdf5-a8942c7413e939344b1244f041b72def191718f2.tar.bz2