Quantcast

CVE-2016-4330 to CVE-2016-4333

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE-2016-4330 to CVE-2016-4333

Tobias Richter
Hi,

Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333


I understand there is some risk opening untrusted HDF5 files with an
unfixed library. Some linux distributions have pushed out patched versions
(for example Debian), but I’m not sure there is a source release available
(or a binary build for that matter) from the HDF group. At least I could
not see any announcement in this mailing list or on their web page.

Best wishes,
Tobias


_______________________________________________
Hdf-forum is for HDF software users discussion.
[hidden email]
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2016-4330 to CVE-2016-4333

bljones
Hi Tobias,

The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here:
 
   https://support.hdfgroup.org/HDF5/release/obtain518.html

For the issues fixed, please see the RELEASE.txt file:

   https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt

Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are:

CVE-2016-4330:  HDF5 bug  HDFFV-9992 (TALOS-2016-176)
CVE-2016-4331:  HDF5 bug  HDFFV-9951 (TALOS-2016-177)
CVE-2016-4332:  HDF5 bug  HDFFV-9950 (TALOS-2016-178)
CVE-2016-4333:  HDF5 bug  HDFFV-9993 (TALOS-2016-179))

The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017.

-Barbara


-----Original Message-----
From: Hdf-forum [mailto:[hidden email]] On Behalf Of Tobias Richter
Sent: Thursday, December 01, 2016 2:48 AM
To: HDF Users Discussion List
Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333

Hi,

Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333


I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page.

Best wishes,
Tobias


_______________________________________________
Hdf-forum is for HDF software users discussion.
[hidden email]
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
_______________________________________________
Hdf-forum is for HDF software users discussion.
[hidden email]
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2016-4330 to CVE-2016-4333

Ann M Al-jazrawi
Hi,

Do these vulnerabilities also exist in previous versions of HDF5 1.8.n?

Thanks!
Ann Al-Jazrawi

On 12/01/2016 09:17 AM, Barbara Jones wrote:

> Hi Tobias,
>
> The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here:
>  
>     https://support.hdfgroup.org/HDF5/release/obtain518.html
>
> For the issues fixed, please see the RELEASE.txt file:
>
>     https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt
>
> Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are:
>
> CVE-2016-4330:  HDF5 bug  HDFFV-9992 (TALOS-2016-176)
> CVE-2016-4331:  HDF5 bug  HDFFV-9951 (TALOS-2016-177)
> CVE-2016-4332:  HDF5 bug  HDFFV-9950 (TALOS-2016-178)
> CVE-2016-4333:  HDF5 bug  HDFFV-9993 (TALOS-2016-179))
>
> The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017.
>
> -Barbara
>
>
> -----Original Message-----
> From: Hdf-forum [mailto:[hidden email]] On Behalf Of Tobias Richter
> Sent: Thursday, December 01, 2016 2:48 AM
> To: HDF Users Discussion List
> Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333
>
> Hi,
>
> Apparently a number of security relevant problems have been found in the
> HDF5 library and have been publicised a couple of weeks ago:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333
>
>
> I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page.
>
> Best wishes,
> Tobias
>
>
> _______________________________________________
> Hdf-forum is for HDF software users discussion.
> [hidden email]
> http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
> Twitter: https://twitter.com/hdf5
> _______________________________________________
> Hdf-forum is for HDF software users discussion.
> [hidden email]
> http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
> Twitter: https://twitter.com/hdf5



_______________________________________________
Hdf-forum is for HDF software users discussion.
[hidden email]
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2016-4330 to CVE-2016-4333

Tom Kent
In reply to this post by Tobias Richter
For the future it would be really appreciated if the CVE numbers were included in the release notes for the version they were fixed in. I was notified of the CVEs by my organization, but couldn't determine if they were fixed in the latest release until I found this mailing list post. 

I'd very much understand if the goal was to keep things under wraps during the rc process and to not have a mention of the CVEs in the rc release notes, but hopefully they could be manually entered when going from the last RC to the release? 

As an outsider to the community, was there a way I could have viewed the HDF5 bugs? I wasn't able to find anything browsing around the website.

Just some thoughts from an outsider, thanks for your consideration.

Tom Kent

 
Hi Tobias,

The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here:
 
   https://support.hdfgroup.org/HDF5/release/obtain518.html
For the issues fixed, please see the RELEASE.txt file:

   https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt
Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are:

CVE-2016-4330:  HDF5 bug  HDFFV-9992 (TALOS-2016-176)
CVE-2016-4331:  HDF5 bug  HDFFV-9951 (TALOS-2016-177)
CVE-2016-4332:  HDF5 bug  HDFFV-9950 (TALOS-2016-178)
CVE-2016-4333:  HDF5 bug  HDFFV-9993 (TALOS-2016-179))

The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017.

-Barbara


-----Original Message-----
From: Hdf-forum [mailto:[hidden email]] On Behalf Of Tobias Richter
Sent: Thursday, December 01, 2016 2:48 AM
To: HDF Users Discussion List
Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333

Hi,

Apparently a number of security relevant problems have been found in the
HDF5 library and have been publicised a couple of weeks ago:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333

I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page.

Best wishes,
Tobias 


_______________________________________________
Hdf-forum is for HDF software users discussion.
[hidden email]
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2016-4330 to CVE-2016-4333

bljones
In reply to this post by Ann M Al-jazrawi
Hi Ann,

Yes, we think the vulnerabilities do exist in earlier releases.

-Barbara
[hidden email]

-----Original Message-----
From: Hdf-forum [mailto:[hidden email]] On Behalf Of Ann M Al-jazrawi
Sent: Thursday, December 01, 2016 10:03 AM
To: [hidden email]
Subject: Re: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333

Hi,

Do these vulnerabilities also exist in previous versions of HDF5 1.8.n?

Thanks!
Ann Al-Jazrawi

On 12/01/2016 09:17 AM, Barbara Jones wrote:

> Hi Tobias,
>
> The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release that you can obtain here:
>  
>     https://support.hdfgroup.org/HDF5/release/obtain518.html
>
> For the issues fixed, please see the RELEASE.txt file:
>
>     https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt
>
> Unfortunately, we failed to indicate the corresponding TALOS reports. Here they are:
>
> CVE-2016-4330:  HDF5 bug  HDFFV-9992 (TALOS-2016-176)
> CVE-2016-4331:  HDF5 bug  HDFFV-9951 (TALOS-2016-177)
> CVE-2016-4332:  HDF5 bug  HDFFV-9950 (TALOS-2016-178)
> CVE-2016-4333:  HDF5 bug  HDFFV-9993 (TALOS-2016-179))
>
> The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 release coming in January 2017.
>
> -Barbara
>
>
> -----Original Message-----
> From: Hdf-forum [mailto:[hidden email]] On Behalf Of Tobias Richter
> Sent: Thursday, December 01, 2016 2:48 AM
> To: HDF Users Discussion List
> Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333
>
> Hi,
>
> Apparently a number of security relevant problems have been found in the
> HDF5 library and have been publicised a couple of weeks ago:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333
>
>
> I understand there is some risk opening untrusted HDF5 files with an unfixed library. Some linux distributions have pushed out patched versions (for example Debian), but I’m not sure there is a source release available (or a binary build for that matter) from the HDF group. At least I could not see any announcement in this mailing list or on their web page.
>
> Best wishes,
> Tobias
>
>
> _______________________________________________
> Hdf-forum is for HDF software users discussion.
> [hidden email]
> http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
> Twitter: https://twitter.com/hdf5
> _______________________________________________
> Hdf-forum is for HDF software users discussion.
> [hidden email]
> http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
> Twitter: https://twitter.com/hdf5



_______________________________________________
Hdf-forum is for HDF software users discussion.
[hidden email]
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
_______________________________________________
Hdf-forum is for HDF software users discussion.
[hidden email]
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5
Loading...