diff options
author | Dana Robinson <derobins@hdfgroup.org> | 2018-02-27 02:31:40 (GMT) |
---|---|---|
committer | Dana Robinson <derobins@hdfgroup.org> | 2018-02-27 02:31:40 (GMT) |
commit | 302053f978e38a8d4306a7c1233cdf8fd2ec28dd (patch) | |
tree | 969544258f45fab8be9a71d1b7ce367bc520c141 /release_docs | |
parent | 9ea358d971ae45698dba6794583a39c4023085ad (diff) | |
download | hdf5-302053f978e38a8d4306a7c1233cdf8fd2ec28dd.zip hdf5-302053f978e38a8d4306a7c1233cdf8fd2ec28dd.tar.gz hdf5-302053f978e38a8d4306a7c1233cdf8fd2ec28dd.tar.bz2 |
Fix for HDFFV-10355 (CVE-2017-17506).
Diffstat (limited to 'release_docs')
-rw-r--r-- | release_docs/RELEASE.txt | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 4675423..d52f6a5 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -232,6 +232,25 @@ Bug Fixes since HDF5-1.10.1 release (DER - 2017/11/21, HDFFV-10330) + - If an HDF5 file contains a filter pipeline message which contains + a 'number of filters' field that exceeds the actual number of + filters in the message, the HDF5 C library will read off the end of + the read buffer. + + This issue was reported to The HDF Group as issue #CVE-2017-17506. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + The problem was fixed by passing the buffer size with the buffer + and ensuring that the pointer cannot be incremented off the end + of the buffer. A mismatch between the number of filters declared + and the actual number of filters will now invoke normal HDF5 + error handling. + + (DER - 2018/02/26, HDFFV-10355) + Configuration ------------- - CMake |