Bug#845301: marked as done (hdf5: CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333)

[Debian Bug Tracking System]

Your message dated Sat, 03 Dec 2016 22:48:39 +0000
with message-id <e1cdj6l-000dfh...@fasolo.debian.org>
and subject line Bug#845301: fixed in hdf5 1.8.13+docs-15+deb8u1
has caused the Debian Bug report #845301,
regarding hdf5: CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
845301: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: hdf5
Version: 1.8.16+docs-8
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerabilities were published for hdf5.

CVE-2016-4330[0]:
| In the HDF5 1.8.16 library's failure to check if the number of
| dimensions for an array read from the file is within the bounds of the
| space allocated for it, a heap-based buffer overflow will occur,
| potentially leading to arbitrary code execution.

CVE-2016-4331[1]:
| When decoding data out of a dataset encoded with the H5Z_NBIT
| decoding, the HDF5 1.8.16 library will fail to ensure that the
| precision is within the bounds of the size leading to arbitrary code
| execution.

CVE-2016-4332[2]:
| The library's failure to check if certain message types support a
| particular flag, the HDF5 1.8.16 library will cast the structure to an
| alternative structure and then assign to fields that aren't supported
| by the message type and the library will write outside the bounds of
| the heap buffer. This can lead to code execution under the context of
| the library.

CVE-2016-4333[3]:
| The HDF5 1.8.16 library allocating space for the array using a value
| from the file has an impact within the loop for initializing said
| array allowing a value within the file to modify the loop's
| terminator. Due to this, an aggressor can cause the loop's index to
| point outside the bounds of the array when initializing it.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-4330
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
[1] https://security-tracker.debian.org/tracker/CVE-2016-4331
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
[2] https://security-tracker.debian.org/tracker/CVE-2016-4332
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
[3] https://security-tracker.debian.org/tracker/CVE-2016-4333
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: hdf5
Source-Version: 1.8.13+docs-15+deb8u1

We believe that the bug you reported is fixed in the latest version of
hdf5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 845...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gilles Filippini <p...@debian.org> (supplier of updated hdf5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 25 Nov 2016 00:59:06 +0100
Source: hdf5
Binary: libhdf5-8 libhdf5-8-dbg libhdf5-cpp-8 libhdf5-cpp-8-dbg libhdf5-dev 
libhdf5-openmpi-8 libhdf5-openmpi-dev libhdf5-openmpi-8-dbg libhdf5-mpich-8 
libhdf5-mpich-dev libhdf5-mpich2-dev libhdf5-mpich-8-dbg libhdf5-mpi-dev 
libhdf5-doc hdf5-helpers hdf5-tools libhdf5-serial-dev
Architecture: source all amd64
Version: 1.8.13+docs-15+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian GIS Project <pkg-grass-de...@lists.alioth.debian.org>
Changed-By: Gilles Filippini <p...@debian.org>
Description:
 hdf5-helpers - Hierarchical Data Format 5 (HDF5) - Helper tools
 hdf5-tools - Hierarchical Data Format 5 (HDF5) - Runtime tools
 libhdf5-8  - Hierarchical Data Format 5 (HDF5) - runtime files - serial versio
 libhdf5-8-dbg - Hierarchical Data Format 5 (HDF5) - Debug package
 libhdf5-cpp-8 - Hierarchical Data Format 5 (HDF5) - C++ libraries
 libhdf5-cpp-8-dbg - Hierarchical Data Format 5 (HDF5) - C++ Debug package
 libhdf5-dev - Hierarchical Data Format 5 (HDF5) - development files - serial ve
 libhdf5-doc - Hierarchical Data Format 5 (HDF5) - Documentation
 libhdf5-mpi-dev - Hierarchical Data Format 5 (HDF5) - development files - 
default M
 libhdf5-mpich-8 - Hierarchical Data Format 5 (HDF5) - runtime files - MPICH2 
versio
 libhdf5-mpich-8-dbg - Hierarchical Data Format 5 (HDF5) - Mpich Debug package
 libhdf5-mpich-dev - Hierarchical Data Format 5 (HDF5) - development files - 
MPICH ver
 libhdf5-mpich2-dev - Hierarchical Data Format 5 (HDF5) - development files - 
MPICH ver
 libhdf5-openmpi-8 - Hierarchical Data Format 5 (HDF5) - runtime files - 
OpenMPI versi
 libhdf5-openmpi-8-dbg - Hierarchical Data Format 5 (HDF5) - OpenMPI Debug 
package
 libhdf5-openmpi-dev - Hierarchical Data Format 5 (HDF5) - development files - 
OpenMPI v
 libhdf5-serial-dev - transitional dummy package
Closes: 845301
Changes:
 hdf5 (1.8.13+docs-15+deb8u1) jessie-security; urgency=high
 .
   * New patches CVE-2016-433*.patch from upstream develop branch
     to fix four vulnerabilities unveiled by TALOS (closes: #845301,
     CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333)
Checksums-Sha1:
 e47add17dd3d2e3ee9dcacb4e6193acb2777338a 3255 hdf5_1.8.13+docs-15+deb8u1.dsc
 0ca3d28556a86b4b799263b054c7999f378a98cd 29517530 hdf5_1.8.13+docs.orig.tar.gz
 d40ee44ba7163ce882dd8132c3cda450408d8f3d 101604 
hdf5_1.8.13+docs-15+deb8u1.debian.tar.xz
 541cd8ef8c98e4a0fa61ecd79c240cd05da0ccf1 28580 
libhdf5-mpich2-dev_1.8.13+docs-15+deb8u1_all.deb
 6f8c14b02eece82cc46697d854882ee81429d20a 16030960 
libhdf5-doc_1.8.13+docs-15+deb8u1_all.deb
 34b1396f9671ff8b34aa516270c560cde5d8db3c 28434 
libhdf5-serial-dev_1.8.13+docs-15+deb8u1_all.deb
 2cc102c06bbf3637d1f3a59970c032c797720902 1061482 
libhdf5-8_1.8.13+docs-15+deb8u1_amd64.deb
 fbabd7f9b600765f34335dbd28138172d4b2f7d3 1841722 
libhdf5-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 9c536299b37e3e76c33675a3bc568acedcea1830 121724 
libhdf5-cpp-8_1.8.13+docs-15+deb8u1_amd64.deb
 e47be840bf451c060e6dd4eea5dc1175b72fd88a 513774 
libhdf5-cpp-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 fb60c510b0d57ec590bc706d980650ecdef1fd23 4370952 
libhdf5-dev_1.8.13+docs-15+deb8u1_amd64.deb
 9be7f96c06c3f145bb48b691c89047f998ac75a3 1087352 
libhdf5-openmpi-8_1.8.13+docs-15+deb8u1_amd64.deb
 21bbecbcab3f63a987afa0666cd19b63df103f16 3937772 
libhdf5-openmpi-dev_1.8.13+docs-15+deb8u1_amd64.deb
 4a9cdd883bea0c87cbadb3f01889d8a0fec31e0e 1877044 
libhdf5-openmpi-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 e97dbc67d72bb354b5c4b4b02fd77c5872f7021d 1085826 
libhdf5-mpich-8_1.8.13+docs-15+deb8u1_amd64.deb
 de9b24dc24c2df87a786c6b8e1f840309ed42c79 3939302 
libhdf5-mpich-dev_1.8.13+docs-15+deb8u1_amd64.deb
 f19d63a48f2cc6d178a57000e10ee6b214d32b3b 1876906 
libhdf5-mpich-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 77c1e737163b182e4fbed8048859cb8c879b433b 28604 
libhdf5-mpi-dev_1.8.13+docs-15+deb8u1_amd64.deb
 8828612edd73816275df3b125aefce4416362b88 36610 
hdf5-helpers_1.8.13+docs-15+deb8u1_amd64.deb
 7e7b5e5621ec14068090510798103bf92c7127a8 382636 
hdf5-tools_1.8.13+docs-15+deb8u1_amd64.deb
Checksums-Sha256:
 7e43685b7dee7ef6c40bac18c46f0aa2bd411168749c1e55a753d125e1c88040 3255 
hdf5_1.8.13+docs-15+deb8u1.dsc
 8a849bb4781943629acfe9dc5d536667a251c77acb2a88bd5b8428b44b8397ec 29517530 
hdf5_1.8.13+docs.orig.tar.gz
 9b9c92b9b949f961ac12fb05953b34eb5a4a1874bb27bb8858df6a1005fe80ed 101604 
hdf5_1.8.13+docs-15+deb8u1.debian.tar.xz
 c2d45f1ec918daddd3deed86ff50736c26d6f3bc19cca150b0d46c37fa742158 28580 
libhdf5-mpich2-dev_1.8.13+docs-15+deb8u1_all.deb
 3e9499f3fc2c236c7a4afa6f2ef01c0b5f4640ad19261ccf433cc1e3eed63347 16030960 
libhdf5-doc_1.8.13+docs-15+deb8u1_all.deb
 7fc17d70eaf2d85b6fe4f45c123dbe165f153860b4354c97c972fbe0ad9110fd 28434 
libhdf5-serial-dev_1.8.13+docs-15+deb8u1_all.deb
 a897d53a3f64d05cb653d2a0c89b05ab13af44761c0df819e88a46929c5feadf 1061482 
libhdf5-8_1.8.13+docs-15+deb8u1_amd64.deb
 ae3bc18b0b457795a360b8f90b7c06a2f5febcbd231de9476a4a90d81b3045c2 1841722 
libhdf5-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 de97e6f39e937f9bfa5eeb07a1544b2a0f221a2eb878d486c10483463273e81e 121724 
libhdf5-cpp-8_1.8.13+docs-15+deb8u1_amd64.deb
 4a46a9f50710d865bb287b98cc66c3b0154def3bbd208b76e983aca5a1794c06 513774 
libhdf5-cpp-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 5ef9d3599bc62fc5066b1bf3b3a729501533fb0989feed6e699ade2d870aed87 4370952 
libhdf5-dev_1.8.13+docs-15+deb8u1_amd64.deb
 5be2939fd6827a209eee6679552b9958ac20f62ff9bee33cdb6729a714acc865 1087352 
libhdf5-openmpi-8_1.8.13+docs-15+deb8u1_amd64.deb
 82c15eb422e8a403d633cefa52bcdfbc35442331b0d984b3e610dc954374b8cc 3937772 
libhdf5-openmpi-dev_1.8.13+docs-15+deb8u1_amd64.deb
 63901abcde04d0e975dc780eb8cf2c38927feca6572139a5facb94f5e0293b8a 1877044 
libhdf5-openmpi-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 dfe3d63a52965ce1c9446bcfe32eb7699c494c3267a652b1adbf26fb90d64a9f 1085826 
libhdf5-mpich-8_1.8.13+docs-15+deb8u1_amd64.deb
 531af89416da6b053303b9dfece0f02f291a1f59664f7b3f0d18c8d0216827fc 3939302 
libhdf5-mpich-dev_1.8.13+docs-15+deb8u1_amd64.deb
 94f7f5194c5e48ef493379db7664b52c1dc0db6b1a665a0b5e4d48571df1acab 1876906 
libhdf5-mpich-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 1803d1d444435b415a9926421900af8ef7ccb17d0eb0e5a333f3ab8a4c5a9c73 28604 
libhdf5-mpi-dev_1.8.13+docs-15+deb8u1_amd64.deb
 0fee4634392fe6b907241855a59588678eb8e1d112fcfcbf5a87e960e7c401fe 36610 
hdf5-helpers_1.8.13+docs-15+deb8u1_amd64.deb
 ebecbd3d1e9ec33fb17f5da5fe2ec6df7c7ad92ea2abd94b91e7b116210806d5 382636 
hdf5-tools_1.8.13+docs-15+deb8u1_amd64.deb
Files:
 473d675054d286aa001dd553a2b3ae44 3255 science optional 
hdf5_1.8.13+docs-15+deb8u1.dsc
 9dbedf46290d09f3955eb0253272b08e 29517530 science optional 
hdf5_1.8.13+docs.orig.tar.gz
 970a0f962898927e531812dc886fd481 101604 science optional 
hdf5_1.8.13+docs-15+deb8u1.debian.tar.xz
 7590ce73244b7e97ef37aea866a22617 28580 oldlibs extra 
libhdf5-mpich2-dev_1.8.13+docs-15+deb8u1_all.deb
 9cb97f3d3d93c8841f3fc41f9e1123b9 16030960 doc optional 
libhdf5-doc_1.8.13+docs-15+deb8u1_all.deb
 67eebb72c21c9a3a6da1ea2171419452 28434 oldlibs extra 
libhdf5-serial-dev_1.8.13+docs-15+deb8u1_all.deb
 c2735b00abc4675eaaf857f867c4c3e2 1061482 libs optional 
libhdf5-8_1.8.13+docs-15+deb8u1_amd64.deb
 7d80025601161cf0ff2a4426367dd670 1841722 debug extra 
libhdf5-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 2b41fe1a130551dfe52f0e69de245aee 121724 libs optional 
libhdf5-cpp-8_1.8.13+docs-15+deb8u1_amd64.deb
 0848b99c785ba483a965cfb99064acf5 513774 debug extra 
libhdf5-cpp-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 99650940de5a5188fbf8271b9c8d86aa 4370952 libdevel optional 
libhdf5-dev_1.8.13+docs-15+deb8u1_amd64.deb
 03bc05789e4b64568fdab358a6e2d09e 1087352 libs extra 
libhdf5-openmpi-8_1.8.13+docs-15+deb8u1_amd64.deb
 9450ab2e48e6c090f9cc17f49340e5a9 3937772 libdevel extra 
libhdf5-openmpi-dev_1.8.13+docs-15+deb8u1_amd64.deb
 ae721c6d9f49140c4fb80768b7167750 1877044 debug extra 
libhdf5-openmpi-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 55315bc1df9e3eaf666c5d4d470f4c8a 1085826 libs extra 
libhdf5-mpich-8_1.8.13+docs-15+deb8u1_amd64.deb
 2176910f1294e1436dfcf234c5f1b282 3939302 libdevel extra 
libhdf5-mpich-dev_1.8.13+docs-15+deb8u1_amd64.deb
 36916aab07a811ae7a5b9acf09d963b6 1876906 debug extra 
libhdf5-mpich-8-dbg_1.8.13+docs-15+deb8u1_amd64.deb
 59cee9175eaf3287f1b61df4fe5e6e21 28604 libdevel extra 
libhdf5-mpi-dev_1.8.13+docs-15+deb8u1_amd64.deb
 0de45420531a0db4a5e9349ff2a64513 36610 science optional 
hdf5-helpers_1.8.13+docs-15+deb8u1_amd64.deb
 5059340fa496a8c5457b09d460af1b7a 382636 science optional 
hdf5-tools_1.8.13+docs-15+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEtBAEBCAAXBQJYPTr8EBxwaW5pQGRlYmlhbi5vcmcACgkQ7+hsbH/+z4OCEAf/
arwHTsj4mmss5SrKSEewGw+FoFtb4zUbg85+j/pkjzTjS+LkN3iBh0wAPzgu2wZC
avJ2jXyOO/1J2PGOWLXyA2vU4JzPvDaNj6YI98YtO4hXtW5CUVIfgTGWme/Lp6p9
W1NtjlBNaOn7/t7PJWOX0cXlVyOyMtfwkRBSg+h/R5eOCKCS9cF/N8EDLJWSp3SU
tsPE31G4GBDtYyX3TW04WkIghWbwReiEUBVypAQstL9qBwomyfe1HOP9cdXQ7xZi
wBbAgmlkNPT1d0Ot8RmNUHwZYWtPMs9Y7dSIgkI+KCdROJfJB8VISlJUUtYlklgo
HJT3vrf55dwffdFe/2dxrw==
=ExJC
-----END PGP SIGNATURE-----

--- End Message ---