Update hdf5 to version 1.12.2 / rev 81 via SR 1066251

https://build.opensuse.org/request/show/1066251 by user eeich + dimstar_suse - Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). HDFGroup/hdf5#2458 HDFGroup/hdf5#2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch (forwarded request 1066178 from eeich)
bmwiedemann · Feb 17, 2023 · 3b318c5 · 3b318c5
1 parent d07b773
commit 3b318c5
Show file tree

Hide file tree

Showing 6 changed files with 123 additions and 2 deletions.
diff --git a/packages/h/hdf5/.files b/packages/h/hdf5/.files
diff --git a/packages/h/hdf5/.rev b/packages/h/hdf5/.rev
@@ -795,4 +795,17 @@ fixed baselibs.conf compared to previous version</comment>
     <comment></comment>
     <requestid>1035905</requestid>
   </revision>
+  <revision rev="81" vrev="4">
+    <srcmd5>186a5ae390ac75e0b090c0ff09a446ef</srcmd5>
+    <version>1.12.2</version>
+    <time>1676648657</time>
+    <user>dimstar_suse</user>
+    <comment>- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus
+  input file (bsc#1207973).
+  https://github.com/HDFGroup/hdf5/issues/2458
+  https://github.com/HDFGroup/hdf5/pull/2459
+  Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
+  Remove-duplicate-code.patch (forwarded request 1066178 from eeich)</comment>
+    <requestid>1066251</requestid>
+  </revision>
 </revisionlist>
diff --git a/packages/h/hdf5/Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch b/packages/h/hdf5/Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
@@ -0,0 +1,66 @@
+From: Egbert Eich <[email protected]>
+Date: Sat Feb 11 13:54:17 2023 +0100
+Subject: Check for overflow when calculating on-disk attribute data size (#2459)
+Patch-mainline: Not yet
+Git-repo: https://github.com/HDFGroup/hdf5
+Git-commit: 0d026daa13a81be72495872f651c036fdc84ae5e
+References: 
+
+A bogus hdf5 file may contain dataspace messages with sizes
+which lead to the on-disk data sizes to exceed what is addressable.
+When calculating the size, make sure, the multiplication does not
+overflow.
+The test case was crafted in a way that the overflow caused the
+size to be 0.
+
+This fixes CVE-2021-37501 / Bug #2458.
+
+Signed-off-by: Egbert Eich <[email protected]>
+Signed-off-by: Egbert Eich <[email protected]>
+---
+ src/H5Oattr.c   |  3 +++
+ src/H5private.h | 18 ++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index 4dee7aa187..3ef0b99aa4 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -235,6 +235,9 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
+
+     /* Compute the size of the data */
+     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
++    H5_CHECK_MUL_OVERFLOW(attr->shared->data_size, ds_size, dt_size,
++			  HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL,
++				      "data size exceeds addressable range"))
+
+     /* Go get the data */
+     if (attr->shared->data_size) {
+diff --git a/src/H5private.h b/src/H5private.h
+index 931d7b9046..a115aee1a4 100644
+--- a/src/H5private.h
++++ b/src/H5private.h
+@@ -1605,6 +1605,24 @@ H5_DLL int     HDvasprintf(char **bufp, const char *fmt, va_list _ap);
+ #define H5_CHECK_OVERFLOW(var, vartype, casttype)
+ #endif /* NDEBUG */
+
++/*
++ * A macro for checking whether a multiplication has overflown
++ * r is assumed to be the result of a prior multiplication of a and b
++ */
++#define H5_CHECK_MUL_OVERFLOW(r, a, b, err)                                                                  \
++    {                                                                                                        \
++        bool mul_overflow = false;                                                                           \
++        if (r != 0) {                                                                                        \
++            if (r / a != b)                                                                                  \
++                mul_overflow = true;                                                                         \
++        } else {                                                                                             \
++            if (a != 0 && b != 0)                                                                            \
++                mul_overflow = true;                                                                         \
++        }                                                                                                    \
++        if (mul_overflow)                                                                                    \
++            err                                                                                              \
++    }
++
+ /*
+  * A macro for detecting over/under-flow when assigning between types
+  */
diff --git a/packages/h/hdf5/Remove-duplicate-code.patch b/packages/h/hdf5/Remove-duplicate-code.patch
@@ -0,0 +1,28 @@
+From: Egbert Eich <[email protected]>
+Date: Sat Feb 11 18:08:15 2023 +0100
+Subject: Remove duplicate code
+Patch-mainline: Not yet
+Git-repo: https://github.com/HDFGroup/hdf5
+Git-commit: 539bca81e2b5713b1c6c5723d742377fb92c1ac1
+References: 
+
+Signed-off-by: Egbert Eich <[email protected]>
+Signed-off-by: Egbert Eich <[email protected]>
+---
+ src/H5Oattr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index 3ef0b99aa4..19d3abfb4c 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -222,10 +222,6 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
+     else
+         p += attr->shared->ds_size;
+
+-    /* Get the datatype's size */
+-    if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
+-        HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
+-
+     /* Get the datatype & dataspace sizes */
+     if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
+         HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
diff --git a/packages/h/hdf5/hdf5.changes b/packages/h/hdf5/hdf5.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Feb 13 09:18:05 UTC 2023 - Egbert Eich <[email protected]>
+
+- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus
+  input file (bsc#1207973).
+  https://github.com/HDFGroup/hdf5/issues/2458
+  https://github.com/HDFGroup/hdf5/pull/2459
+  Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
+  Remove-duplicate-code.patch
+
 -------------------------------------------------------------------
 Tue Nov 15 04:52:12 UTC 2022 - Atri Bhattacharya <[email protected]>
 

diff --git a/packages/h/hdf5/hdf5.spec b/packages/h/hdf5/hdf5.spec
@@ -1,7 +1,7 @@
 #
-# spec file for package hdf5
+# spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -450,6 +450,8 @@ Patch108:       Make-sure-info-block-for-external-links-has-at-least-3-bytes.pat
 Patch109:       Hot-fix-for-CVE-2020-10812.patch
 Patch110:       Compound-datatypes-may-not-have-members-of-size-0.patch
 Patch111:       H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch
+Patch112:       Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
+Patch113:       Remove-duplicate-code.patch
 
 BuildRequires:  fdupes
 %if 0%{?use_sz2}
@@ -704,6 +706,8 @@ library packages.
 %patch109 -p1
 %patch110 -p1
 %patch111 -p1
+%patch112 -p1
+%patch113 -p1
 
 %if %{without hpc}
 # baselibs looks different for different flavors - generate it on the fly