SB2019021703 - Multiple vulnerabilities in HDF5

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2019-9151)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5VM_memcpyvv in H5VM.c when called from H5D__compact_readvv in H5Dcompact.c.

2) Out-of-bounds read (CVE-ID: CVE-2019-9152)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5MM_xstrdup in H5MM.c when called from H5O_dtype_decode_helper in H5Odtype.c.

3) Out-of-bounds read (CVE-ID: CVE-2019-8397)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_close_real in H5T.c.

4) Out-of-bounds read (CVE-ID: CVE-2019-8398)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c.

Remediation

Install update from vendor's website.

References

• https://github.com/magicSwordsMan/PAAFS/tree/master/vul7
• https://github.com/magicSwordsMan/PAAFS/tree/master/vul8
• https://github.com/magicSwordsMan/PAAFS/tree/master/vul5
• https://github.com/magicSwordsMan/PAAFS/tree/master/vul6