From e908accadf92ce658572d928369f616e25a8cc9b Mon Sep 17 00:00:00 2001 From: Dana Robinson <43805+derobins@users.noreply.github.com> Date: Thu, 28 Mar 2024 12:08:05 -0700 Subject: [PATCH] Add release note for CVE-2017-17507 (#4275) --- release_docs/RELEASE.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index d45d9d1ee9b..28dbd2357be 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -693,6 +693,19 @@ Bug Fixes since HDF5-1.14.0 release Library ------- + - Fixed CVE-2017-17507 + + This CVE was previously declared fixed, but later testing with a static + build of HDF5 showed that it was not fixed. + + When parsing a malformed (fuzzed) compound type containing variable-length + string members, the library could produce a segmentation fault, crashing + the library. + + This was fixed after GitHub PR #4234 + + Fixes GitHub issue #3446 + - Fixed a cache assert with very large metadata objects If the library tries to load a metadata object that is above a