Source: hdf5 Version: 1.14.5+repack-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for hdf5. CVE-2025-2308[0]: | A vulnerability, which was classified as critical, was found in HDF5 | 1.14.6. This affects the function | H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset | Filter. The manipulation leads to heap-based buffer overflow. An | attack has to be approached locally. The exploit has been disclosed | to the public and may be used. The real existence of this | vulnerability is still doubted at the moment. The vendor was | contacted early about a batch of vulnerabilities. His response was | "reject" without further explanation. We have not received an | elaboration even after asking politely for further details. | Currently we assume that the vendor wants to "dispute" the entries | which is why they are flagged as such until further details become | available. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-2308 https://www.cve.org/CVERecord?id=CVE-2025-2308 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
