Hi,
Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333
I understand there is some risk opening untrusted HDF5 files with an
unfixed library. Some linux distributions have pushed out patched versions
(for example Debian), but I’m not sure there is a source release available
(or a binary build for that matter) from the HDF group. At least I could
not see any announcement in this mailing list or on their web page.
Best wishes,
Tobias
Hi Tobias,
The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here:
Obtaining the Latest HDF5 Software
For the issues fixed, please see the RELEASE.txt file:
https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt
Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are:
CVE-2016-4330: HDF5 bug HDFFV-9992 (TALOS-2016-176)
CVE-2016-4331: HDF5 bug HDFFV-9951 (TALOS-2016-177)
CVE-2016-4332: HDF5 bug HDFFV-9950 (TALOS-2016-178)
CVE-2016-4333: HDF5 bug HDFFV-9993 (TALOS-2016-179))
The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017.
-Barbara
···
-----Original Message-----
From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Tobias Richter
Sent: Thursday, December 01, 2016 2:48 AM
To: HDF Users Discussion List
Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333
Hi,
Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:
I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page.
Best wishes,
Tobias
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
Hi,
Do these vulnerabilities also exist in previous versions of HDF5 1.8.n?
Thanks!
Ann Al-Jazrawi
···
On 12/01/2016 09:17 AM, Barbara Jones wrote:
Hi Tobias,
The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here:
https://support.hdfgroup.org/HDF5/release/obtain518.html
For the issues fixed, please see the RELEASE.txt file:
https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt
Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are:
CVE-2016-4330: HDF5 bug HDFFV-9992 (TALOS-2016-176)
CVE-2016-4331: HDF5 bug HDFFV-9951 (TALOS-2016-177)
CVE-2016-4332: HDF5 bug HDFFV-9950 (TALOS-2016-178)
CVE-2016-4333: HDF5 bug HDFFV-9993 (TALOS-2016-179))
The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017.
-Barbara
-----Original Message-----
From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Tobias Richter
Sent: Thursday, December 01, 2016 2:48 AM
To: HDF Users Discussion List
Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333
Hi,
Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333
I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page.
Best wishes,
Tobias
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
Hi Ann,
Yes, we think the vulnerabilities do exist in earlier releases.
-Barbara
help@hdfgroup.org
···
-----Original Message-----
From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Ann M Al-jazrawi
Sent: Thursday, December 01, 2016 10:03 AM
To: hdf-forum@lists.hdfgroup.org
Subject: Re: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333
Hi,
Do these vulnerabilities also exist in previous versions of HDF5 1.8.n?
Thanks!
Ann Al-Jazrawi
On 12/01/2016 09:17 AM, Barbara Jones wrote:
Hi Tobias,
The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here:
Obtaining the Latest HDF5 Software
For the issues fixed, please see the RELEASE.txt file:
https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt
Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are:
CVE-2016-4330: HDF5 bug HDFFV-9992 (TALOS-2016-176)
CVE-2016-4331: HDF5 bug HDFFV-9951 (TALOS-2016-177)
CVE-2016-4332: HDF5 bug HDFFV-9950 (TALOS-2016-178)
CVE-2016-4333: HDF5 bug HDFFV-9993 (TALOS-2016-179))
The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017.
-Barbara
-----Original Message-----
From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Tobias Richter
Sent: Thursday, December 01, 2016 2:48 AM
To: HDF Users Discussion List
Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333
Hi,
Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:
CVE - CVE-2016-4330
CVE - CVE-2016-4331
CVE - CVE-2016-4332
CVE - CVE-2016-4333
I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page.
Best wishes,
Tobias
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
For the future it would be really appreciated if the CVE numbers were
included in the release notes for the version they were fixed in. I was
notified of the CVEs by my organization, but couldn't determine if they
were fixed in the latest release until I found this mailing list post.
I'd very much understand if the goal was to keep things under wraps during
the rc process and to not have a mention of the CVEs in the rc release
notes, but hopefully they could be manually entered when going from the
last RC to the release?
As an outsider to the community, was there a way I could have viewed the
HDF5 bugs? I wasn't able to find anything browsing around the website.
Just some thoughts from an outsider, thanks for your consideration.
Tom Kent
···
Hi Tobias,
The vulnerabilities you mentioned were addressed in the HDF5 1.8.18
release that you can obtain here:
https://support.hdfgroup.org/HDF5/release/obtain518.html
For the issues fixed, please see the RELEASE.txt file:
https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.
8.18-RELEASE.txt
Unfortunately, we failed to indicate the corresponding TALOS reports. Here
they are:
CVE-2016-4330: HDF5 bug HDFFV-9992 (TALOS-2016-176)
CVE-2016-4331: HDF5 bug HDFFV-9951 (TALOS-2016-177)
CVE-2016-4332: HDF5 bug HDFFV-9950 (TALOS-2016-178)
CVE-2016-4333: HDF5 bug HDFFV-9993 (TALOS-2016-179))
The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1
release coming in January 2017.
-Barbara
-----Original Message-----
From: Hdf-forum [mailto:[hidden email]
<http://hdf-forum.184993.n3.nabble.com/user/SendEmail.jtp?type=node&node=4029392&i=0>]
On Behalf Of Tobias Richter
Sent: Thursday, December 01, 2016 2:48 AM
To: HDF Users Discussion List
Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333
Hi,
Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333
I understand there is some risk opening untrusted HDF5 files with an
unfixed library. Some linux distributions have pushed out patched versions
(for example Debian), but I’m not sure there is a source release available
(or a binary build for that matter) from the HDF group. At least I could
not see any announcement in this mailing list or on their web page.
Best wishes,
Tobias
