From a8942c7413e939344b1244f041b72def191718f2 Mon Sep 17 00:00:00 2001 From: Dana Robinson <43805+derobins@users.noreply.github.com> Date: Wed, 9 Nov 2022 17:03:55 -0800 Subject: Adds a release note for PR #2210 (CVE-2019-8396) (#2247) * Adds a release note for PR #2210 (CVE-2019-8396) * Capitalization issue fixed --- release_docs/RELEASE.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 47c9730..1b6999d 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -89,6 +89,17 @@ New Features Library: -------- + - Fix for CVE-2019-8396 + + Malformed HDF5 files may have truncated content which does not match + the expected size. When H5O__pline_decode() attempts to decode these it + may read past the end of the allocated space leading to heap overflows + as bounds checking is incomplete. + + The fix ensures each element is within bounds before reading. + + (2022/11/09 - HDFFV-10712, CVE-2019-8396, GitHub #2209) + - Removal of memory allocation sanity checks feature This feature added heap canaries and statistics tracking for internal -- cgit v0.12