Minor cherry-pick merges to 1.12 (#2581)

author: Larry Knox <lrknox@hdfgroup.org> 2023-03-29 18:15:11 (GMT)
committer: GitHub <noreply@github.com> 2023-03-29 18:15:11 (GMT)
commit: abdc160a97c78b01580308fe43204a202d3a6951 (patch)
tree: 92e828b43bc13be1560f531c9d1d964a5a963d39 /release_docs
parent: ab1af79798985b57401596677f7db8eb186f55a1 (diff)
download: hdf5-abdc160a97c78b01580308fe43204a202d3a6951.zip
hdf5-abdc160a97c78b01580308fe43204a202d3a6951.tar.gz
hdf5-abdc160a97c78b01580308fe43204a202d3a6951.tar.bz2
1 files changed, 13 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 23cdc36..97f137d 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -226,6 +226,19 @@ Bug Fixes since HDF5-1.12.1 release
       hyperslab selection's dataspace.
 
       (JTH - 2023/03/23)
+      
+      - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+      Check for overflow when calculating on-disk attribute data size.
+
+      A bogus hdf5 file may contain dataspace messages with sizes
+      which lead to the on-disk data sizes to exceed what is addressable.
+      When calculating the size, make sure, the multiplication does not
+      overflow.
+      The test case was crafted in a way that the overflow caused the
+      size to be 0.
+
+      (EFE - 2023/02/11 GH-2458)
 
     - Seg fault on file close
author	Larry Knox <lrknox@hdfgroup.org>	2023-03-29 18:15:11 (GMT)
committer	GitHub <noreply@github.com>	2023-03-29 18:15:11 (GMT)
commit	abdc160a97c78b01580308fe43204a202d3a6951 (patch)
tree	92e828b43bc13be1560f531c9d1d964a5a963d39 /release_docs
parent	ab1af79798985b57401596677f7db8eb186f55a1 (diff)
download	hdf5-abdc160a97c78b01580308fe43204a202d3a6951.zip hdf5-abdc160a97c78b01580308fe43204a202d3a6951.tar.gz hdf5-abdc160a97c78b01580308fe43204a202d3a6951.tar.bz2