diff options
| author | Allen Byrne <byrn@hdfgroup.org> | 2018-03-06 14:29:55 (GMT) |
|---|---|---|
| committer | Allen Byrne <byrn@hdfgroup.org> | 2018-03-06 14:29:55 (GMT) |
| commit | 1c3ba3721718c8089da65fae02f65068d8530fa7 (patch) | |
| tree | 2b2e1f5e70aa8208e75e34edd5077ca0b1cfa939 /release_docs | |
| parent | 8ae5f6804186e3121dfe933d6bf9c9044f8ae9d6 (diff) | |
| parent | d8723ac1178a69c4dff7164203d999d61c2159bb (diff) | |
| download | hdf5-1c3ba3721718c8089da65fae02f65068d8530fa7.zip hdf5-1c3ba3721718c8089da65fae02f65068d8530fa7.tar.gz hdf5-1c3ba3721718c8089da65fae02f65068d8530fa7.tar.bz2 | |
Merging in latest from upstream (HDFFV/hdf5:refs/heads/develop)
* commit 'd8723ac1178a69c4dff7164203d999d61c2159bb':
Fix for HDFFV-10357 (CVE-2017-17508).
Fix for HDFFV-10355 (CVE-2017-17506).
Fix for HDFFV-10354 (CVE-2017-17505).
Diffstat (limited to 'release_docs')
| -rw-r--r-- | release_docs/RELEASE.txt | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 4675423..199265c 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -232,6 +232,63 @@ Bug Fixes since HDF5-1.10.1 release (DER - 2017/11/21, HDFFV-10330) + - If an HDF5 file contains a filter pipeline message with a 'number of + filters' field that exceeds the maximum number of allowed filters, + the error handling code will attempt to dereference a NULL pointer. + + This issue was reported to The HDF Group as issue #CVE-2017-17505. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + This problem arose because the error handling code assumed that + the 'number of filters' field implied that a dynamic array of that + size had already been created and that the cleanup code should + iterate over that array and clean up each element's resources. If + an error occurred before the array has been allocated, this will + not be true. + + This has been changed so that the number of filters is set to + zero on errors. Additionally, the filter array traversal in the + error handling code now requires that the filter array not be NULL. + + (DER - 2018/02/06, HDFFV-10354) + + - If an HDF5 file contains a filter pipeline message which contains + a 'number of filters' field that exceeds the actual number of + filters in the message, the HDF5 C library will read off the end of + the read buffer. + + This issue was reported to The HDF Group as issue #CVE-2017-17506. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + The problem was fixed by passing the buffer size with the buffer + and ensuring that the pointer cannot be incremented off the end + of the buffer. A mismatch between the number of filters declared + and the actual number of filters will now invoke normal HDF5 + error handling. + + (DER - 2018/02/26, HDFFV-10355) + + - If an HDF5 file contains a malformed compound type which contains + a member of size zero, a division by zero error will occur while + processing the type. + + This issue was reported to The HDF Group as issue #CVE-2017-17508. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + Checking for zero before dividing fixes the problem. Instead of the + division by zero, the normal HDF5 error handling is invoked. + + (DER - 2018/02/26, HDFFV-10357) + Configuration ------------- - CMake |