An update for hdf5 is now available for openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1987 Final 1.0 1.0 2023-12-29 Initial 2023-12-29 2023-12-29 openEuler SA Tool V1.0 2023-12-29 hdf5 security update An update for hdf5 is now available for openEuler-20.03-LTS-SP3. HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format. Security Fix(es): A heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17433) ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17436) An issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.(CVE-2020-10809) An update for hdf5 is now available for openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium hdf5 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1987 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2018-17433 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2018-17436 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2020-10809 https://nvd.nist.gov/vuln/detail/CVE-2018-17433 https://nvd.nist.gov/vuln/detail/CVE-2018-17436 https://nvd.nist.gov/vuln/detail/CVE-2020-10809 openEuler-20.03-LTS-SP3 hdf5-openmpi-static-1.12.1-4.oe1.aarch64.rpm hdf5-mpich-1.12.1-4.oe1.aarch64.rpm hdf5-1.12.1-4.oe1.aarch64.rpm hdf5-openmpi-devel-1.12.1-4.oe1.aarch64.rpm hdf5-devel-1.12.1-4.oe1.aarch64.rpm hdf5-mpich-static-1.12.1-4.oe1.aarch64.rpm hdf5-debuginfo-1.12.1-4.oe1.aarch64.rpm hdf5-mpich-devel-1.12.1-4.oe1.aarch64.rpm hdf5-openmpi-1.12.1-4.oe1.aarch64.rpm hdf5-debugsource-1.12.1-4.oe1.aarch64.rpm hdf5-1.12.1-4.oe1.src.rpm hdf5-debugsource-1.12.1-4.oe1.x86_64.rpm hdf5-debuginfo-1.12.1-4.oe1.x86_64.rpm hdf5-devel-1.12.1-4.oe1.x86_64.rpm hdf5-openmpi-static-1.12.1-4.oe1.x86_64.rpm hdf5-mpich-static-1.12.1-4.oe1.x86_64.rpm hdf5-openmpi-devel-1.12.1-4.oe1.x86_64.rpm hdf5-mpich-1.12.1-4.oe1.x86_64.rpm hdf5-mpich-devel-1.12.1-4.oe1.x86_64.rpm hdf5-1.12.1-4.oe1.x86_64.rpm hdf5-openmpi-1.12.1-4.oe1.x86_64.rpm A heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file. 2023-12-29 CVE-2018-17433 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H hdf5 security update 2023-12-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1987 ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file. 2023-12-29 CVE-2018-17436 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H hdf5 security update 2023-12-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1987 An issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service. 2023-12-29 CVE-2020-10809 openEuler-20.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H hdf5 security update 2023-12-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1987