Report error if dimensions of chunked storage in data layout < 2 (#2241)

For Data Layout Messages version 1 & 2 the specification state
that the value stored in the data field is 1 greater than the
number of dimensions in the dataspace. For version 3 this is
not explicitly stated but the implementation suggests it to be
the case.
Thus the set value needs to be at least 2. For dimensionality
< 2 an out-of-bounds access occurs as in CVE-2021-45833.

This fixes CVE-2021-45833 / Bug #2240.

Signed-off-by: Egbert Eich <eich@suse.com>

Signed-off-by: Egbert Eich <eich@suse.com>
Co-authored-by: Larry Knox <lrknox@hdfgroup.org>

1 files changed, 14 insertions, 1 deletions

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 158472c..7013cbc 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -213,6 +213,20 @@ Bug Fixes since HDF5-1.13.3 release
 
       (EFE - 2022/10/05 GH-2228)
 
+    - Fix CVE-2021-45833 / GHSA-x57p-jwp6-4v79
+
+      Report error if dimensions of chunked storage in data layout < 2
+    
+      For Data Layout Messages version 1 & 2 the specification state
+      that the value stored in the data field is 1 greater than the
+      number of dimensions in the dataspace. For version 3 this is
+      not explicitly stated but the implementation suggests it to be
+      the case.
+      Thus the set value needs to be at least 2. For dimensionality
+      < 2 an out-of-bounds access occurs.
+ 
+      (EFE - 2022/09/28 GH-2240)
+      
     - Fix CVE-2018-14031 / GHSA-2xc7-724c-r36j
 
       Parent of enum datatype message must have the same size as the
@@ -238,7 +252,6 @@ Bug Fixes since HDF5-1.13.3 release
 
       (EFE - 2022/09/27 HDFFV-10589, GH-2226)
 
-
     Java Library
     ------------
     -