diff options
author | Dana Robinson <derobins@hdfgroup.org> | 2018-02-27 02:31:40 (GMT) |
---|---|---|
committer | lrknox <lrknox> | 2018-05-10 21:43:47 (GMT) |
commit | b1a6873b1021c967b661727edae9de87d194f744 (patch) | |
tree | 81deb9506f7616af37caeeebaff525b7ef74aa0f /release_docs | |
parent | 11a188a4b6f1da0bd81c54976e6ceb8530d71aa1 (diff) | |
download | hdf5-b1a6873b1021c967b661727edae9de87d194f744.zip hdf5-b1a6873b1021c967b661727edae9de87d194f744.tar.gz hdf5-b1a6873b1021c967b661727edae9de87d194f744.tar.bz2 |
Fix for HDFFV-10355 (CVE-2017-17506).
(cherry picked from commit 302053f978e38a8d4306a7c1233cdf8fd2ec28dd)
Diffstat (limited to 'release_docs')
-rw-r--r-- | release_docs/RELEASE.txt | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index eb9f0d9..ebdb5f8 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -155,6 +155,25 @@ Bug Fixes since HDF5-1.8.20 (DER - 2018/02/06, HDFFV-10354) + - If an HDF5 file contains a filter pipeline message which contains + a 'number of filters' field that exceeds the actual number of + filters in the message, the HDF5 C library will read off the end of + the read buffer. + + This issue was reported to The HDF Group as issue #CVE-2017-17506. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + The problem was fixed by passing the buffer size with the buffer + and ensuring that the pointer cannot be incremented off the end + of the buffer. A mismatch between the number of filters declared + and the actual number of filters will now invoke normal HDF5 + error handling. + + (DER - 2018/02/26, HDFFV-10355) + Configuration ------------- - CMake |