Source: hdf5 Version: 1.14.5+repack-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for hdf5. CVE-2025-2309[0]: | A vulnerability has been found in HDF5 1.14.6 and classified as | critical. This vulnerability affects the function H5T__bit_copy of | the component Type Conversion Logic. The manipulation leads to heap- | based buffer overflow. Local access is required to approach this | attack. The exploit has been disclosed to the public and may be | used. The real existence of this vulnerability is still doubted at | the moment. The vendor was contacted early about a batch of | vulnerabilities. His response was "reject" without further | explanation. We have not received an elaboration even after asking | politely for further details. Currently we assume that the vendor | wants to "dispute" the entries which is why they are flagged as such | until further details become available. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-2309 https://www.cve.org/CVERecord?id=CVE-2025-2309 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
