CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

hdf5 1.14.4-3: fix CVE-2025-2912

Browse Source 
Upstream Repository: https://github.com/HDFGroup/hdf5.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2912
Type: Security Fix
CVE: CVE-2025-2912
Score: 4.8
Patch: https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a

Analysis:
- CVE-2025-2913 was previously fixed by [1], which is also addresses CVE-2025-2912
  as noted in [4].
- NVD [2] references the GitHub discussion [3] for CVE-2025-2912, and we successfully
  reproduced the issue following the steps outlined there.
- Applied the fix from [4] and verified resolution using the reproduction steps.
- The same patch [4] is already included in OE-scarthgap [5] for CVE-2025-2913.
- Therefore, reused the patch from [5] to resolve CVE-2025-2912.

References:
[1] https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-2912
[3] https://github.com/HDFGroup/hdf5/issues/5370#issue-2917388806
[4] https://github.com/HDFGroup/hdf5/issues/5370#issuecomment-3542881855
[5] https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-support/hdf5?h=scarthgap&id=b42e6eb3e51a

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Sudhir Dumbhare 2025-12-08 20:59:14 -08:00 committed by Anuj Mittal
parent c223262bd7
commit e0dbf0bcd3
No known key found for this signature in database
GPG Key ID: 4340AEFE69F5085C
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
meta-oe/recipes-support/hdf5/files/CVE-2025-2913.patch → meta-oe/recipes-support/hdf5/files/CVE-2025-2913-CVE-2025-2912.patch
View File

@ -9,10 +9,11 @@ one of the free lists. It appeared that the library came to this vulnerability
after it encountered an undetected reading of a bad value. The fuzzer now failed
with an appropriate error message.
CVE: CVE-2025-2913
CVE: CVE-2025-2913 CVE-2025-2912
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a09c892bc97ac32d9515c3777ce07]
(cherry picked from commit 7cc8b5e1010a09c892bc97ac32d9515c3777ce07)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
src/H5Ocont.c | 2 ++
1 file changed, 2 insertions(+)

2
meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
View File

@ -15,7 +15,7 @@ SRC_URI = " \
https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \
file://0002-Remove-suffix-shared-from-shared-library-name.patch \
file://0001-cmake-remove-build-flags.patch \
file://CVE-2025-2913.patch \
file://CVE-2025-2913-CVE-2025-2912.patch \
file://CVE-2025-2914.patch \
file://CVE-2025-2915.patch \
file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \