Skip to content

Commit

Permalink
Bring CVE fixes from develop (HDFGroup#3447)
Browse files Browse the repository at this point in the history
* Bring CVE fixes from develop

* Fix for CVE-2018-15671
* Fix for CVE-2016-4332

* Update the CVE matrix
  • Loading branch information
derobins authored Aug 30, 2023
1 parent 8063108 commit 4646ac8
Show file tree
Hide file tree
Showing 6 changed files with 33 additions and 48 deletions.
11 changes: 5 additions & 6 deletions CVE_list_1_14.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
| [CVE-2018-17233](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17233) | | | | |
| [CVE-2018-16438](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16438) | | | | |
| [CVE-2018-15672](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15672) | | | | |
| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671) | FAILED | FAILED | FAILED | FAILED |
| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671) | FAILED | FAILED | FAILED | |
| [CVE-2018-14460](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14460) | | | | |
| [CVE-2018-14035](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14035) | | | | |
| [CVE-2018-14034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14034) | | | | |
Expand Down Expand Up @@ -63,13 +63,12 @@
| [CVE-2017-17507](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17507) | FAILED | FAILED | | |
| [CVE-2017-17506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17506) | | | | |
| [CVE-2017-17505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17505) | | | | |
| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333) | | | | |
| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332) | FAILED | FAILED | FAILED | |
| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331) | | | | |
| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330) | | | | |

## NOTES
* No test files are available for the 2016 CVE issues as Talos doesn't release proof-of-vulnerability files. We will add our own proof-of-vulnerability files in the future.
* CVE-2021-45832 has no known proof of vulnerability file. We will attempt to create our own.
* CVE-2021-31009 is not a specific vulnerability against HDF5.
* CVE-2022-25942, CVE-2022-25972, and CVE-2022-26061 are not tested. Those vulnerabilities involve the high-level GIF tools and can be avoided by disabling those tools at build time.
14 changes: 12 additions & 2 deletions release_docs/RELEASE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,18 @@ Bug Fixes since HDF5-1.14.2 release
===================================
Library
-------
- Fixed an assertion in a previous fix for CVE-2016-4332

An assert could fail when processing corrupt files that have invalid
shared message flags (as in CVE-2016-4332).

The assert statement in question has been replaced with pointer checks
that don't raise errors. Since the function is in cleanup code, we do
our best to close and free things, even when presented with partially
initialized structs.

Fixes CVE-2016-4332 and HDFFV-9950 (confirmed via the cve_hdf5 repo)

- Fixed performance regression with some compound type conversions

In-place type conversion was introduced for most use cases in 1.14.2.
Expand All @@ -119,8 +131,6 @@ Bug Fixes since HDF5-1.14.2 release
this optimized conversion and there is no benefit in terms of the I/O
size.

- Fixed an assertion in a previous fix for CVE-2016-4332


Java Library
------------
Expand Down
22 changes: 7 additions & 15 deletions src/H5Gint.c
Original file line number Diff line number Diff line change
Expand Up @@ -977,15 +977,13 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata)
/* Check if we've seen the object the link references before */
if (NULL == H5SL_search(udata->visited, &obj_pos)) {
H5O_type_t otype; /* Basic object type (group, dataset, etc.) */
unsigned rc; /* Reference count of object */

/* Get the object's reference count and type */
if (H5O_get_rc_and_type(&obj_oloc, &rc, &otype) < 0)
if (H5O_get_rc_and_type(&obj_oloc, NULL, &otype) < 0)
HGOTO_ERROR(H5E_SYM, H5E_CANTGET, H5_ITER_ERROR, "unable to get object info");

/* If its ref count is > 1, we add it to the list of visited objects */
/* (because it could come up again during traversal) */
if (rc > 1) {
/* Add it to the list of visited objects */
{
H5_obj_t *new_node; /* New object node for visited list */

/* Allocate new object "position" node */
Expand All @@ -999,7 +997,7 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata)
if (H5SL_insert(udata->visited, new_node, new_node) < 0)
HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, H5_ITER_ERROR,
"can't insert object node into visited list");
} /* end if */
}

/* If it's a group, we recurse into it */
if (otype == H5O_TYPE_GROUP) {
Expand Down Expand Up @@ -1094,7 +1092,6 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
hid_t gid = H5I_INVALID_HID; /* Group ID */
H5G_t *grp = NULL; /* Group opened */
H5G_loc_t start_loc; /* Location of starting group */
unsigned rc; /* Reference count of object */
herr_t ret_value = FAIL; /* Return value */

/* Portably clear udata struct (before FUNC_ENTER) */
Expand Down Expand Up @@ -1136,13 +1133,8 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
if ((udata.visited = H5SL_create(H5SL_TYPE_OBJ, NULL)) == NULL)
HGOTO_ERROR(H5E_SYM, H5E_CANTCREATE, FAIL, "can't create skip list for visited objects");

/* Get the group's reference count */
if (H5O_get_rc_and_type(&grp->oloc, &rc, NULL) < 0)
HGOTO_ERROR(H5E_SYM, H5E_CANTGET, FAIL, "unable to get object info");

/* If its ref count is > 1, we add it to the list of visited objects */
/* (because it could come up again during traversal) */
if (rc > 1) {
/* Add it to the list of visited objects */
{
H5_obj_t *obj_pos; /* New object node for visited list */

/* Allocate new object "position" node */
Expand All @@ -1156,7 +1148,7 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
/* Add to list of visited objects */
if (H5SL_insert(udata.visited, obj_pos, obj_pos) < 0)
HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, FAIL, "can't insert object node into visited list");
} /* end if */
}

/* Attempt to get the link info for this group */
if ((linfo_exists = H5G__obj_get_linfo(&(grp->oloc), &linfo)) < 0)
Expand Down
16 changes: 7 additions & 9 deletions src/H5Omessage.c
Original file line number Diff line number Diff line change
Expand Up @@ -619,13 +619,12 @@ H5O__msg_free_mesg(H5O_mesg_t *mesg)
} /* end H5O__msg_free_mesg() */

/*-------------------------------------------------------------------------
* Function: H5O_msg_free_real
* Function: H5O_msg_free_real
*
* Purpose: Similar to H5O_msg_reset() except it also frees the message
* pointer.
* Purpose: Similar to H5O_msg_reset() except it also frees the message
* pointer
*
* Return: Success: NULL
* Failure: NULL
* Return: NULL (always)
*
*-------------------------------------------------------------------------
*/
Expand All @@ -634,16 +633,15 @@ H5O_msg_free_real(const H5O_msg_class_t *type, void *msg_native)
{
FUNC_ENTER_NOAPI_NOINIT_NOERR

/* check args */
assert(type);
/* Don't assert on args since this could be called in cleanup code */

if (msg_native) {
H5O__msg_reset_real(type, msg_native);
if (NULL != (type->free))
if (type && type->free)
(type->free)(msg_native);
else
H5MM_xfree(msg_native);
} /* end if */
}

FUNC_LEAVE_NOAPI(NULL)
} /* end H5O_msg_free_real() */
Expand Down
9 changes: 1 addition & 8 deletions tools/src/h5dump/h5dump_ddl.c
Original file line number Diff line number Diff line change
Expand Up @@ -853,10 +853,7 @@ dump_group(hid_t gid, const char *name)

H5Oget_info3(gid, &oinfo, H5O_INFO_BASIC);

/* Must check for uniqueness of all objects if we've traversed an elink,
* otherwise only check if the reference count > 1.
*/
if (oinfo.rc > 1 || hit_elink) {
{
obj_t *found_obj; /* Found object */

found_obj = search_obj(group_table, &oinfo.token);
Expand All @@ -880,10 +877,6 @@ dump_group(hid_t gid, const char *name)
link_iteration(gid, crt_order_flags);
}
}
else {
attr_iteration(gid, attr_crt_order_flags);
link_iteration(gid, crt_order_flags);
}

dump_indent -= COL;
ctx.indent_level--;
Expand Down
9 changes: 1 addition & 8 deletions tools/testfiles/tgroup-2.ddl
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,7 @@ GROUP "/" {
}
}
GROUP "g2" {
GROUP "g2.1" {
GROUP "g2.1.1" {
}
GROUP "g2.1.2" {
}
GROUP "g2.1.3" {
}
}
HARDLINK "/g2"
}
GROUP "g3" {
GROUP "g3.1" {
Expand Down

0 comments on commit 4646ac8

Please sign in to comment.