{"id": "FEDORA:411A4607548A", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 25 Update: hdf5-1.8.17-2.fc25", "description": "HDF5 is a general purpose library and file format for storing scientific da ta. HDF5 can store two primary objects: datasets and groups. A dataset is essentially a multidimensional array of data elements, and a group is a structure for organizing objects in an HDF5 file. Using these two basic objects, one can create and store almost any kind of scientific data structure, such as images, arrays of vectors, and structured and unstructur ed grids. You can also mix and match them in HDF5 files according to your need s. ", "published": "2016-12-27T15:52:45", "modified": "2016-12-27T15:52:45", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"], "lastseen": "2020-12-21T08:17:53", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2018:1051-1", "OPENSUSE-SU-2018:1056-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310703727", "OPENVAS:1361412562310872196", "OPENVAS:703727", "OPENVAS:1361412562310851736"]}, {"type": "freebsd", "idList": ["91E039ED-D689-11E6-9171-14DAE9D210B8"]}, {"type": "gentoo", "idList": ["GLSA-201701-13"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3727-1:980F7", "DEBIAN:DLA-771-1:74ECC"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-771.NASL", "DEBIAN_DSA-3727.NASL", "FREEBSD_PKG_91E039EDD68911E6917114DAE9D210B8.NASL", "OPENSUSE-2018-392.NASL", "GENTOO_GLSA-201701-13.NASL", "FEDORA_2016-3477B592E3.NASL"]}, {"type": "cve", "idList": ["CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4330", "CVE-2016-4333"]}, {"type": "seebug", "idList": ["SSV:96653", "SSV:96651", "SSV:96652", "SSV:96654"]}, {"type": "talos", "idList": ["TALOS-2016-0179", "TALOS-2016-0176", "TALOS-2016-0177", "TALOS-2016-0178"]}], "modified": "2020-12-21T08:17:53", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-12-21T08:17:53", "rev": 2}, "vulnersScore": 5.4}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "25", "arch": "any", "packageName": "hdf5", "packageVersion": "1.8.17", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"debian": [{"lastseen": "2019-05-30T02:22:31", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "Package : hdf5\nVersion : 1.8.8-9+deb7u1\nCVE ID : CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333\nDebian Bug : 845301\n\nCisco Talos discovered that hdf5, a file format and library for\nstoring scientific data, contained several vulnerabilities that could\nlead to arbitrary code execution when handling untrusted data.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.8.8-9+deb7u1.\n\nWe recommend that you upgrade your hdf5 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2016-12-31T16:50:30", "published": "2016-12-31T16:50:30", "id": "DEBIAN:DLA-771-1:74ECC", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201612/msg00048.html", "title": "[SECURITY] [DLA 771-1] hdf5 security update", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T01:00:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3727-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nNovember 30, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : hdf5\nCVE ID : CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333\nDebian Bug : 845301\n\nCisco Talos discovered that hdf5, a file format and library for\nstoring scientific data, contained several vulnerabilities that could\nlead to arbitrary code execution when handling untrusted data.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.8.13+docs-15+deb8u1.\n\nFor the testing distribution (stretch) and unstable distribution\n(sid), these problems have been fixed in version 1.10.0-patch1+docs-1.\n\nWe recommend that you upgrade your hdf5 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2016-11-30T11:39:38", "published": "2016-11-30T11:39:38", "id": "DEBIAN:DSA-3727-1:980F7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00310.html", "title": "[SECURITY] [DSA 3727-1] hdf5 security update", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:35:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-28T00:00:00", "id": "OPENVAS:1361412562310872196", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872196", "type": "openvas", "title": "Fedora Update for hdf5 FEDORA-2016-3477b592e3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for hdf5 FEDORA-2016-3477b592e3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872196\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-28 06:04:39 +0100 (Wed, 28 Dec 2016)\");\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for hdf5 FEDORA-2016-3477b592e3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'hdf5'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"hdf5 on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-3477b592e3\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFZSTIUJPE67CTPPJNXWIOXS2AQNRKTS\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"hdf5\", rpm:\"hdf5~1.8.17~2.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T17:38:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310851736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851736", "type": "openvas", "title": "openSUSE: Security Advisory for hdf5 (openSUSE-SU-2018:1056-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851736\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:41:02 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for hdf5 (openSUSE-SU-2018:1056-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'hdf5'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for hdf5 fixes the following issues:\n\n - fix security issues (arbitrary code execution): CVE-2016-4330: H5T_ARRAY\n Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution\n (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution\n (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198)\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-392=1\");\n\n script_tag(name:\"affected\", value:\"hdf5 on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1056-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00068.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"hdf5\", rpm:\"hdf5~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-debuginfo\", rpm:\"hdf5-debuginfo~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-debugsource\", rpm:\"hdf5-debugsource~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-devel\", rpm:\"hdf5-devel~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-devel-data\", rpm:\"hdf5-devel-data~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-devel-static\", rpm:\"hdf5-devel-static~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-examples\", rpm:\"hdf5-examples~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-openmpi\", rpm:\"hdf5-openmpi~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-openmpi-debuginfo\", rpm:\"hdf5-openmpi-debuginfo~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-openmpi-devel\", rpm:\"hdf5-openmpi-devel~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdf5-openmpi-devel-static\", rpm:\"hdf5-openmpi-devel-static~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5-10\", rpm:\"libhdf5-10~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5-10-debuginfo\", rpm:\"libhdf5-10-debuginfo~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5-10-openmpi\", rpm:\"libhdf5-10-openmpi~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5-10-openmpi-debuginfo\", rpm:\"libhdf5-10-openmpi-debuginfo~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5_hl10\", rpm:\"libhdf5_hl10~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5_hl10-debuginfo\", rpm:\"libhdf5_hl10-debuginfo~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5_hl10-openmpi\", rpm:\"libhdf5_hl10-openmpi~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libhdf5_hl10-openmpi-debuginfo\", rpm:\"libhdf5_hl10-openmpi-debuginfo~1.8.15~7.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:55:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "Cisco Talos discovered that hdf5, a\nfile format and library for storing scientific data, contained several\nvulnerabilities that could lead to arbitrary code execution when handling\nuntrusted data.", "modified": "2017-07-07T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:703727", "href": "http://plugins.openvas.org/nasl.php?oid=703727", "type": "openvas", "title": "Debian Security Advisory DSA 3727-1 (hdf5 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3727.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3727-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703727);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n script_name(\"Debian Security Advisory DSA 3727-1 (hdf5 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-12-02 17:27:07 +0530 (Fri, 02 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3727.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"hdf5 on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 1.8.13+docs-15+deb8u1.\n\nFor the testing distribution (stretch) and unstable distribution\n(sid), these problems have been fixed in version 1.10.0-patch1+docs-1.\n\nWe recommend that you upgrade your hdf5 packages.\");\n script_tag(name: \"summary\", value: \"Cisco Talos discovered that hdf5, a\nfile format and library for storing scientific data, contained several\nvulnerabilities that could lead to arbitrary code execution when handling\nuntrusted data.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"hdf5-helpers\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"hdf5-tools\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-doc\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpi-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich2-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-serial-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"hdf5-helpers\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"hdf5-tools\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-10:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-10:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-10-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-10-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-11:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-11:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-11-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-cpp-11-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-dev\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-doc\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpi-dev\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-10:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-10:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-10-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-10-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-mpich-dev\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libhdf5-openmpi-dev\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdf5-serial-dev\", ver:\"1.10.0-patch1+docs-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "Cisco Talos discovered that hdf5, a\nfile format and library for storing scientific data, contained several\nvulnerabilities that could lead to arbitrary code execution when handling\nuntrusted data.", "modified": "2019-03-18T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310703727", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703727", "type": "openvas", "title": "Debian Security Advisory DSA 3727-1 (hdf5 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3727.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3727-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703727\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n script_name(\"Debian Security Advisory DSA 3727-1 (hdf5 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 17:27:07 +0530 (Fri, 02 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3727.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(8|9)\");\n script_tag(name:\"affected\", value:\"hdf5 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthese problems have been fixed in version 1.8.13+docs-15+deb8u1.\n\nFor the testing distribution (stretch) and unstable distribution\n(sid), these problems have been fixed in version 1.10.0-patch1+docs-1.\n\nWe recommend that you upgrade your hdf5 packages.\");\n script_tag(name:\"summary\", value:\"Cisco Talos discovered that hdf5, a\nfile format and library for storing scientific data, contained several\nvulnerabilities that could lead to arbitrary code execution when handling\nuntrusted data.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"hdf5-helpers\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"hdf5-tools\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-doc\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpi-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich2-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8-dbg:amd64\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-8-dbg:i386\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-serial-dev\", ver:\"1.8.13+docs-15+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"hdf5-helpers\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"hdf5-tools\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-10:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-10:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-10-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-10-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\n\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-11:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-11:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-11-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-cpp-11-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-dev\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-doc\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpi-dev\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-10:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-10:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-10-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-10-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-mpich-dev\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10-dbg:amd64\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-10-dbg:i386\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libhdf5-openmpi-dev\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libhdf5-serial-dev\", ver:\"1.10.0-patch1+docs-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T10:55:23", "description": "Talos Security reports :\n\n- CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code\nExecution Vulnerability\n\n- CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code\nExecution Vulnerability\n\n- CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable\nMessage Type Code Execution Vulnerability\n\n- CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND\nCode Execution Vulnerability", "edition": 25, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2017-01-10T00:00:00", "title": "FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "modified": "2017-01-10T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:hdf5-18", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:hdf5"], "id": "FREEBSD_PKG_91E039EDD68911E6917114DAE9D210B8.NASL", "href": "https://www.tenable.com/plugins/nessus/96369", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96369);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n\n script_name(english:\"FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Talos Security reports :\n\n- CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code\nExecution Vulnerability\n\n- CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code\nExecution Vulnerability\n\n- CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable\nMessage Type Code Execution Vulnerability\n\n- CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND\nCode Execution Vulnerability\"\n );\n # http://blog.talosintel.com/2016/11/hdf5-vulns.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://blog.talosintelligence.com/2016/11/hdf5-vulns.html\"\n );\n # https://vuxml.freebsd.org/freebsd/91e039ed-d689-11e6-9171-14dae9d210b8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3c2d67c1\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:hdf5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:hdf5-18\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"hdf5<1.10.0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"hdf5-18<1.8.18\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:44:12", "description": "Cisco Talos discovered that hdf5, a file format and library for\nstoring scientific data, contained several vulnerabilities that could\nlead to arbitrary code execution when handling untrusted data.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.8.8-9+deb7u1.\n\nWe recommend that you upgrade your hdf5 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 15, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2017-01-03T00:00:00", "title": "Debian DLA-771-1 : hdf5 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "modified": "2017-01-03T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libhdf5-serial-dev", "p-cpe:/a:debian:debian_linux:libhdf5-mpi-dev", "p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7-dbg", "p-cpe:/a:debian:debian_linux:libhdf5-doc", "p-cpe:/a:debian:debian_linux:hdf5-helpers", "p-cpe:/a:debian:debian_linux:libhdf5-openmpi-dev", "p-cpe:/a:debian:debian_linux:hdf5-tools", "p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7", "p-cpe:/a:debian:debian_linux:libhdf5-dev", "p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:libhdf5-mpich2-dev", "p-cpe:/a:debian:debian_linux:libhdf5-7", "p-cpe:/a:debian:debian_linux:libhdf5-7-dbg", "p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7-dbg"], "id": "DEBIAN_DLA-771.NASL", "href": "https://www.tenable.com/plugins/nessus/96187", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-771-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96187);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n\n script_name(english:\"Debian DLA-771-1 : hdf5 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cisco Talos discovered that hdf5, a file format and library for\nstoring scientific data, contained several vulnerabilities that could\nlead to arbitrary code execution when handling untrusted data.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.8.8-9+deb7u1.\n\nWe recommend that you upgrade your hdf5 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/12/msg00048.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/hdf5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:hdf5-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:hdf5-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-7-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-mpi-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libhdf5-serial-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"hdf5-helpers\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"hdf5-tools\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-7\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-7-dbg\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-dev\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-doc\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-mpi-dev\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-mpich2-7\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-mpich2-7-dbg\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-mpich2-dev\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-openmpi-7\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-openmpi-7-dbg\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-openmpi-dev\", reference:\"1.8.8-9+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libhdf5-serial-dev\", reference:\"1.8.8-9+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:14:06", "description": "Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332,\nCVE-2016-4333\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2016-12-28T00:00:00", "title": "Fedora 25 : hdf5 (2016-3477b592e3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "modified": "2016-12-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:hdf5", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2016-3477B592E3.NASL", "href": "https://www.tenable.com/plugins/nessus/96157", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-3477b592e3.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96157);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n script_xref(name:\"FEDORA\", value:\"2016-3477b592e3\");\n\n script_name(english:\"Fedora 25 : hdf5 (2016-3477b592e3)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332,\nCVE-2016-4333\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-3477b592e3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected hdf5 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:hdf5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"hdf5-1.8.17-2.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"hdf5\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T11:05:35", "description": "The remote host is affected by the vulnerability described in GLSA-201701-13\n(HDF5: Multiple vulnerabilities)\n\n Multiple arbitrary code execution vulnerabilities have been discovered\n in HDF5. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n An attacker could execute arbitrary code with the privileges of the\n process via a maliciously crafted database file.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 23, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2017-01-03T00:00:00", "title": "GLSA-201701-13 : HDF5: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "modified": "2017-01-03T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:hdf5", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201701-13.NASL", "href": "https://www.tenable.com/plugins/nessus/96244", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201701-13.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96244);\n script_version(\"3.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n script_xref(name:\"GLSA\", value:\"201701-13\");\n\n script_name(english:\"GLSA-201701-13 : HDF5: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201701-13\n(HDF5: Multiple vulnerabilities)\n\n Multiple arbitrary code execution vulnerabilities have been discovered\n in HDF5. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n An attacker could execute arbitrary code with the privileges of the\n process via a maliciously crafted database file.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201701-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All HDF5 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sci-libs/hdf5-1.8.18'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:hdf5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sci-libs/hdf5\", unaffected:make_list(\"ge 1.8.18\"), vulnerable:make_list(\"lt 1.8.18\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"HDF5\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:49:53", "description": "Cisco Talos discovered that hdf5, a file format and library for\nstoring scientific data, contained several vulnerabilities that could\nlead to arbitrary code execution when handling untrusted data.", "edition": 23, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2016-12-01T00:00:00", "title": "Debian DSA-3727-1 : hdf5 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "modified": "2016-12-01T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:hdf5"], "id": "DEBIAN_DSA-3727.NASL", "href": "https://www.tenable.com/plugins/nessus/95414", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3727. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95414);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n script_xref(name:\"DSA\", value:\"3727\");\n\n script_name(english:\"Debian DSA-3727-1 : hdf5 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cisco Talos discovered that hdf5, a file format and library for\nstoring scientific data, contained several vulnerabilities that could\nlead to arbitrary code execution when handling untrusted data.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/hdf5\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3727\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the hdf5 packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 1.8.13+docs-15+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:hdf5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"hdf5-helpers\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"hdf5-tools\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-8\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-8-dbg\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-cpp-8\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-cpp-8-dbg\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-dev\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-doc\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-mpi-dev\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-mpich-8\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-mpich-8-dbg\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-mpich-dev\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-mpich2-dev\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-openmpi-8\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-openmpi-8-dbg\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-openmpi-dev\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libhdf5-serial-dev\", reference:\"1.8.13+docs-15+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:37:09", "description": "This update for hdf5 fixes the following issues :\n\n - fix security issues (arbitary code execution):\n CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201)\n CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204)\n CVE-2016-4332: Shareable Message Type Code Execution\n (boo#1011205) CVE-2016-4333: Array index bounds issue\n (boo#1011198)", "edition": 16, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2018-04-24T00:00:00", "title": "openSUSE Security Update : hdf5 (openSUSE-2018-392)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "modified": "2018-04-24T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libhdf5_hl10", "p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi", "p-cpe:/a:novell:opensuse:libhdf5-10-debuginfo", "p-cpe:/a:novell:opensuse:libhdf5-10-openmpi-debuginfo", "p-cpe:/a:novell:opensuse:hdf5", "p-cpe:/a:novell:opensuse:hdf5-openmpi-debuginfo", "p-cpe:/a:novell:opensuse:hdf5-devel-data", "p-cpe:/a:novell:opensuse:hdf5-openmpi", "p-cpe:/a:novell:opensuse:hdf5-debuginfo", "p-cpe:/a:novell:opensuse:libhdf5-10-openmpi", "p-cpe:/a:novell:opensuse:hdf5-debugsource", "p-cpe:/a:novell:opensuse:hdf5-openmpi-devel", "p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi-debuginfo", "p-cpe:/a:novell:opensuse:hdf5-openmpi-devel-static", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:hdf5-examples", "p-cpe:/a:novell:opensuse:libhdf5-10", "p-cpe:/a:novell:opensuse:libhdf5_hl10-debuginfo", "p-cpe:/a:novell:opensuse:hdf5-devel-static", "p-cpe:/a:novell:opensuse:hdf5-devel"], "id": "OPENSUSE-2018-392.NASL", "href": "https://www.tenable.com/plugins/nessus/109296", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-392.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109296);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-4330\", \"CVE-2016-4331\", \"CVE-2016-4332\", \"CVE-2016-4333\");\n\n script_name(english:\"openSUSE Security Update : hdf5 (openSUSE-2018-392)\");\n script_summary(english:\"Check for the openSUSE-2018-392 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for hdf5 fixes the following issues :\n\n - fix security issues (arbitary code execution):\n CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201)\n CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204)\n CVE-2016-4332: Shareable Message Type Code Execution\n (boo#1011205) CVE-2016-4333: Array index bounds issue\n (boo#1011198)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1011198\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1011201\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1011204\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1011205\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected hdf5 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-devel-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-devel-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-openmpi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-openmpi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5-10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5-10-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5_hl10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5_hl10-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-debuginfo-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-debugsource-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-devel-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-devel-data-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-devel-static-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-examples-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-openmpi-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-openmpi-debuginfo-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-openmpi-devel-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"hdf5-openmpi-devel-static-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5-10-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5-10-debuginfo-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5-10-openmpi-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5-10-openmpi-debuginfo-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5_hl10-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5_hl10-debuginfo-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5_hl10-openmpi-1.8.15-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libhdf5_hl10-openmpi-debuginfo-1.8.15-7.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"hdf5 / hdf5-debuginfo / hdf5-debugsource / hdf5-devel / etc\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2018-04-24T05:30:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "This update for hdf5 fixes the following issues:\n\n - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY\n Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution\n (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution\n (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198)\n\n", "edition": 1, "modified": "2018-04-24T03:19:16", "published": "2018-04-24T03:19:16", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00068.html", "id": "OPENSUSE-SU-2018:1056-1", "type": "suse", "title": "Security update for hdf5 (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-24T05:30:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "This update for hdf5 fixes the following issues:\n\n - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY\n Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution\n (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution\n (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198)\n\n", "edition": 1, "modified": "2018-04-24T03:07:15", "published": "2018-04-24T03:07:15", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00067.html", "id": "OPENSUSE-SU-2018:1051-1", "type": "suse", "title": "Security update for hdf5 (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2017-01-02T15:12:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "edition": 1, "description": "### Background\n\nHDF5 technology suite includes a data model, library, and file format for storing and managing data. \n\n### Description\n\nMultiple arbitrary code execution vulnerabilities have been discovered in HDF5. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn attacker could execute arbitrary code with the privileges of the process via a maliciously crafted database file. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll HDF5 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sci-libs/hdf5-1.8.18\"", "modified": "2017-01-02T00:00:00", "published": "2017-01-02T00:00:00", "href": "https://security.gentoo.org/glsa/201701-13", "id": "GLSA-201701-13", "type": "gentoo", "title": "HDF5: Multiple vulnerabilities", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4331", "CVE-2016-4330", "CVE-2016-4333", "CVE-2016-4332"], "description": "\nTalos Security reports:\n\n\nCVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability\nCVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability\nCVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability\nCVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability\n\n\n", "edition": 4, "modified": "2016-11-17T00:00:00", "published": "2016-11-17T00:00:00", "id": "91E039ED-D689-11E6-9171-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/91e039ed-d689-11e6-9171-14dae9d210b8.html", "title": "hdf5 -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T12:10:46", "description": "The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-11-18T20:59:00", "title": "CVE-2016-4333", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4333"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/a:hdfgroup:hdf5:1.8.16"], "id": "CVE-2016-4333", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4333", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hdfgroup:hdf5:1.8.16:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:46", "description": "When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-11-18T20:59:00", "title": "CVE-2016-4331", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4331"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/a:hdfgroup:hdf5:1.8.16"], "id": "CVE-2016-4331", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4331", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hdfgroup:hdf5:1.8.16:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:46", "description": "The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-11-18T20:59:00", "title": "CVE-2016-4332", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4332"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/a:hdfgroup:hdf5:1.8.16"], "id": "CVE-2016-4332", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4332", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hdfgroup:hdf5:1.8.16:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:46", "description": "In the HDF5 1.8.16 library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-11-18T20:59:00", "title": "CVE-2016-4330", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4330"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/a:hdfgroup:hdf5:1.8.16"], "id": "CVE-2016-4330", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4330", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hdfgroup:hdf5:1.8.16:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T11:56:51", "description": "### Description\r\nHDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS.\r\n\r\nThe vulnerability exists due to the library allocating space for the array using a value from the file, and then within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it. This is a heap-based buffer overflow, and can lead to code execution under the context of the application using the library.\r\n\r\n### Tested Versions\r\n* hdf5-1.8.16.tar.bz2\r\n* tools/h5ls: Version 1.8.16\r\n* tools/h5stat: Version 1.8.16\r\n* tools/h5dump: Version 1.8.16\r\n\r\n### Product Urls\r\n* http://www.hdfgroup.org/HDF5/\r\n* http://www.hdfgroup.org/HDF5/release/obtainsrc.html\r\n* http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\r\n\r\n### CVSSv3 Score\r\n8.6 -- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\r\n\r\n### Details\r\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\r\n\r\nWithin the HDF file format, paths can be specified as the '/'-separated posix format. When reading a dataset, the library will open the object using H5Dopenoid. Inside this function, the library will read the type and it's location. Once the type and it's location are read, then the library will pass the H5ODTYPEID value along with it's location onto H5Omsg_read.\r\n```\r\nsrc/H5Dint.c:1221\r\nstatic herr_t\r\nH5D__open_oid(H5D_t *dataset, hid_t dapl_id, hid_t dxpl_id)\r\n{\r\n...\r\n /* Open the dataset object */\r\n if(H5O_open(&(dataset->oloc)) < 0)\r\n HGOTO_ERROR(H5E_DATASET, H5E_CANTOPENOBJ, FAIL, \"unable to open\")\r\n\r\n /* Get the type and space */\r\n if(NULL == (dataset->shared->type = (H5T_t *)H5O_msg_read(&(dataset->oloc), H5O_DTYPE_ID, NULL, dxpl_id))) // XXX: \\\r\n HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, \"unable to load type info from dataset header\")\r\n\\\r\nsrc/H5Omessage.c:463\r\nvoid *\r\nH5O_msg_read(const H5O_loc_t *loc, unsigned type_id, void *mesg,\r\n hid_t dxpl_id)\r\n{\r\n H5O_t *oh = NULL; /* Object header to use */\r\n void *ret_value; /* Return value */\r\n...\r\n /* Get the object header */\r\n if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ)))\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, NULL, \"unable to protect object header\")\r\n\r\n /* Call the \"real\" read routine */\r\n if(NULL == (ret_value = H5O_msg_read_oh(loc->file, dxpl_id, oh, type_id, mesg))) // XXX: read the message from the object header\r\n HGOTO_ERROR(H5E_OHDR, H5E_READERROR, NULL, \"unable to read object header message\")\r\n```\r\nInside H5Omsgreadoh, the application will use the typeid argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5OLOADNATIVE at H5Omessage.c:545\r\n```\r\n\r\nsrc/H5Omessage.c:517\r\nvoid *\r\nH5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id,\r\n void *mesg)\r\n{\r\n const H5O_msg_class_t *type; /* Actual H5O class type for the ID */\r\n unsigned idx; /* Message's index in object header */\r\n void *ret_value = NULL;\r\n...\r\n for(idx = 0; idx < oh->nmesgs; idx++)\r\n if(type == oh->mesg[idx].type)\r\n break;\r\n...\r\n H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\r\n```\r\n\r\nInside the H5OLOADNATIVE macro, the application will select a structure containing function pointers out of the msg->type field. This structure contains various functions that are used to decode the message. When decoding a msg of type H5ODTYPEID, the library will dispatch into the H5Odtypeshareddecode function. This function will eventually call H5Odtypedecode. Inside H5Odtypedecode, the application will then call H5Odtypedecodehelper which is responsible for decoding the data types.\r\n```\r\nsrc/H5Oshared.h:50\r\nstatic H5_INLINE void *\r\nH5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags,\r\n unsigned *ioflags, const uint8_t *p)\r\n{\r\n...\r\n /* Decode native message directly */\r\n if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p))) // XXX: \\\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, \"unable to decode native message\")\r\n } /* end else */\r\n\\\r\nsrc/H5Odtype.c:1091\r\nstatic void *\r\nH5O_dtype_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,\r\n unsigned *ioflags/*in,out*/, const uint8_t *p)\r\n{\r\n...\r\n /* Allocate datatype message */\r\n if(NULL == (dt = H5T__alloc()))\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\r\n\r\n /* Perform actual decode of message */\r\n if(H5O_dtype_decode_helper(f, ioflags, &p, dt) < 0)\r\n HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, \"can't decode type\")\r\n```\r\n\r\nInside decode helper, the library will read a dword from the file and use the bottom 4 bits to determine the datatype. If the datatype is H5T_COMPOUND(6), the library will enter the case at src/H5Odtype.c:260. At the beginning of this case, the library will use a bitmask from the fields to allocate space for the number of members.\r\n```\r\nsrc/H5Odtype.c:133\r\nstatic htri_t\r\nH5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags/*in,out*/, const uint8_t **pp, H5T_t *dt)\r\n{\r\n...\r\n case H5T_COMPOUND:\r\n {\r\n...\r\n dt->shared->u.compnd.nmembs = flags & 0xffff;\r\n if(dt->shared->u.compnd.nmembs == 0)\r\n HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, \"invalid number of members: %u\", dt->shared->u.compnd.nmembs)\r\n dt->shared->u.compnd.nalloc = dt->shared->u.compnd.nmembs; // XXX: proof-of-concept sets this to 3\r\n dt->shared->u.compnd.memb = (H5T_cmemb_t *)H5MM_calloc(dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)); // XXX: buffer that's later written to\r\n dt->shared->u.compnd.memb_size = 0;\r\n```\r\n\r\nImmediately afterwards, the library will enter a loop that is terminated by the number of members in the prior snippet. For each iteration of this loop, the library will read a number of dimensions that will be passed to a function H5T_arraycreate. Although the library checks that the number of dimensions that are read are bound by 4, the check is done via an assertion. When the library is built in production mode[3], this assertion will be optimized out by the preprocessor.\r\n```\r\nsrc/H5Odtype.c:282\r\n for(i = 0; i < dt->shared->u.compnd.nmembs; i++) { // XXX: u.array.ndims\r\n unsigned ndims = 0; /* Number of dimensions of the array field */\r\n htri_t can_upgrade; /* Whether we can upgrade this type's version */\r\n hsize_t dim[H5O_LAYOUT_NDIMS]; /* Dimensions of the array */\r\n H5T_t *array_dt; /* Temporary pointer to the array datatype */\r\n H5T_t *temp_type; /* Temporary pointer to the field's datatype */\r\n...\r\n if(version == H5O_DTYPE_VERSION_1) {\r\n /* Decode the number of dimensions */\r\n ndims = *(*pp)++; // XXX: ndims can be changed within the loop\r\n HDassert(ndims <= 4); // XXX: assertion, if ndims > 4 then H5T_array_create will read oob\r\n *pp += 3; /*reserved bytes */\r\n...\r\n } /* end if */\r\n...\r\n if(version == H5O_DTYPE_VERSION_1) {\r\n...\r\n if((array_dt = H5T__array_create(temp_type, ndims, dim)) == NULL) { // XXX: ndims is passed here\r\n...\r\n } /* end if */\r\n```\r\n\r\nInside H5T_arraycreate, the library will use the ndims value as a terminator to a loop. This loop is used to calculate the size of the array. Due to the index being oob of the 4-element array, the loop can assign an arbitrary value to u.array.ndims and u.array.nelem. These values are actually a union within the structure that they're written to, and due to this can be used to change the length of the loop after the space has already been allocated.\r\n```\r\nsrc/H5Tarray.c:179\r\nH5T_t *\r\nH5T__array_create(H5T_t *base, unsigned ndims, const hsize_t dim[/* ndims */])\r\n{\r\n H5T_t *ret_value; /* new array data type */\r\n unsigned u; /* local index variable */\r\n...\r\n /* Build new type */\r\n if(NULL == (ret_value = H5T__alloc()))\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\r\n ret_value->shared->type = H5T_ARRAY;\r\n...\r\n /* Set the array parameters */\r\n ret_value->shared->u.array.ndims = ndims; // XXX: writes to u.compnd.nmembs\r\n\r\n /* Copy the array dimensions & compute the # of elements in the array */\r\n for(u = 0, ret_value->shared->u.array.nelem = 1; u < ndims; u++) {\r\n H5_CHECKED_ASSIGN(ret_value->shared->u.array.dim[u], size_t, dim[u], hsize_t);\r\n ret_value->shared->u.array.nelem *= (size_t)dim[u]; // XXX: multiply using uninitialized values. writes to u.compnd.nalloc\r\n } /* end for */\r\n\r\n /* Set the array's size (number of elements * element datatype's size) */\r\n ret_value->shared->size = ret_value->shared->parent->shared->size * ret_value->shared->u.array.nelem; // XXX\r\n...\r\n FUNC_LEAVE_NOAPI(ret_value)\r\n} /* end H5T__array_create */\r\n```\r\n\r\nThe structure's that overlap are located within the H5Tsharedt definition in src/H5Tpkg.h:288. In this structure, the \"u\" field is a union of both an H5Tarrayt and an H5TcompndT which both are used within the loop that was explained in the prior snippet.\r\n```\r\nsrc/H5Tpkg.h:288\r\ntypedef struct H5T_shared_t {\r\n hsize_t fo_count; /* number of references to this file object */\r\n...\r\n struct H5T_t *parent;/*parent type for derived datatypes */\r\n union {\r\n H5T_atomic_t atomic; /* an atomic datatype */\r\n H5T_compnd_t compnd; /* a compound datatype (struct) */\r\n H5T_enum_t enumer; /* an enumeration type (enum) */\r\n H5T_vlen_t vlen; /* a variable-length datatype */\r\n H5T_opaque_t opaque; /* an opaque datatype */\r\n H5T_array_t array; /* an array datatype */\r\n } u;\r\n} H5T_shared_t;\r\n```\r\n\r\nIn these structures, H5Tarrayt.nelem is the same as H5Tcompndt.nalloc, and H5Tarrayt.ndims is the same as H5Tcompndt.nmembs. These are defined below. The field's that are used to control the allocation and the loop are marked.\r\n```\r\nsrc/H5Tpkg.h:273\r\ntypedef struct H5T_array_t {\r\n size_t nelem; /* total number of elements in array */ // XXX: modified using elements outside of the dims variable\r\n unsigned ndims; /* member dimensionality */ // XXX: modified inside H5T__array_create\r\n size_t dim[H5S_MAX_RANK]; /* size in each dimension */\r\n} H5T_array_t;\r\n\r\nsrc/H5Tpkg.h:217\r\ntypedef struct H5T_compnd_t {\r\n unsigned nalloc; /*num entries allocated in MEMB array*/ // XXX: used to control the allocation\r\n unsigned nmembs; /*number of members defined in struct*/ // XXX: used to terminate the loop\r\n H5T_sort_t sorted; /*how are members sorted? */\r\n hbool_t packed; /*are members packed together? */\r\n H5T_cmemb_t *memb; /*array of struct members */\r\n size_t memb_size; /*total of all member sizes */\r\n} H5T_compnd_t;\r\n```\r\n\r\nReferring back to the loop, these two fields are used to control when the loop terminates. Since u.array.ndims let's the librayr modify the value of u.compnd.nmembs, the code at line 391 will write outside the bounds of the allocation. This is a heap-based buffer overflow and can lead to code execution under the context of the application using the library.\r\n```\r\nsrc/H5Odtype.c:282\r\n for(i = 0; i < dt->shared->u.compnd.nmembs; i++) { // XXX: u.array.ndims\r\n... src/H5Odtype.c:391 ...\r\n /* Member size */\r\n dt->shared->u.compnd.memb[i].size = temp_type->shared->size; // XXX: writes outside of bounds of loop.\r\n dt->shared->u.compnd.memb_size += temp_type->shared->size;\r\n\r\n /* Set the field datatype (finally :-) */\r\n dt->shared->u.compnd.memb[i].type = temp_type;\r\n```\r\n\r\n### Crash Analysis\r\n```\r\n$ gdb -q --args bin/h5stat poc.hdf\r\n1542 ../../../tools/h5stat/h5stat.c: No such file or directory.\r\n(gdb) bp src/H5Odtype.c:278\r\nBreakpoint 4 at 0xb6b04b3f: file ../../src/H5Odtype.c, line 278.\r\n(gdb) bp src/H5Odtype.c:312\r\nBreakpoint 5 at 0xb6b07356: file ../../src/H5Odtype.c, line 312.\r\n(gdb) bp src/H5Odtype.c:352\r\nBreakpoint 6 at 0xb6b091f7: file ../../src/H5Odtype.c, line 352.\r\n(gdb) bp src/H5Odtype.c:392\r\nBreakpoint 7 at 0xb6b0a852: file ../../src/H5Odtype.c, line 392.\r\n(gdb) r\r\nStarting program: $HOME/hdf5-1.8.16/release/bin/h5stat poc.hdf\r\nFilename: poc.hdf\r\n\r\nBreakpoint 3, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:278\r\n278 dt->shared->u.compnd.memb = (H5T_cmemb_t *)H5MM_calloc(dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t));\r\n(gdb) p dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)\r\n$1 = 0x30\r\n(gdb) n\r\n279 dt->shared->u.compnd.memb_size = 0;\r\n(gdb) p dt->shared->u.compnd.memb\r\n$2 = (H5T_cmemb_t *) 0x83f4070\r\n(gdb) ba dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)\r\nHardware watchpoint 7: *(dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t))\r\n\r\n(gdb) c\r\nContinuing.\r\nHardware watchpoint 7: *(dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t))\r\n\r\nOld value = 0x0\r\nNew value = <unreadable>\r\nH5T__array_create (base=base@entry=0x83df448, ndims=ndims@entry=0x80, dim=dim@entry=0xbfffebc8) at ../../src/H5Tarray.c:206\r\n206 ret_value->shared->u.array.nelem *= (size_t)dim[u];\r\n\r\n(gdb) c\r\nContinuing.\r\n\r\nBreakpoint 6, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:392\r\n392 dt->shared->u.compnd.memb[i].size = temp_type->shared->size;\r\n(gdb) n\r\n\r\nCatchpoint 2 (signal SIGSEGV), 0x08148372 in H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:392\r\n392 dt->shared->u.compnd.memb[i].size = temp_type->shared->size;\r\n\r\nProgram terminated with signal SIGSEGV, Segmentation fault.\r\nThe program no longer exists.\r\n(gdb)\r\n\r\n\r\n\r\n==2061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2b20758 at pc 0xb699e18c bp 0xbfa0e618 sp 0xbfa0e610\r\nWRITE of size 4 at 0xb2b20758 thread T0\r\n #0 0xb699e18b in H5T__array_create $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:205\r\n #1 0xb629b2e4 in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:352\r\n #2 0xb628d881 in H5O_dtype_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:1108\r\n #3 0xb6259fd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Oshared.h:84\r\n #4 0xb6335a5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:554\r\n #5 0xb63338a6 in H5O_msg_read $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:483\r\n #6 0xb57d3b96 in H5D__open_oid $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1245\r\n #7 0xb57d0df7 in H5D_open $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1153\r\n #8 0xb56763f9 in H5Dopen2 $HOME/hdf5-1.8.16/memcheck/src/../../src/H5D.c:368\r\n #9 0x80e0ecd in dataset_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:473\r\n #10 0x80d1d39 in obj_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:685\r\n #11 0x81d307d in traverse_cb $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:237\r\n #12 0xb5c6a66a in H5G_visit_cb $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:939\r\n #13 0xb5cbea72 in H5G__node_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026\r\n #14 0xb54b2c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175\r\n #15 0xb54b06db in H5B_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220\r\n #16 0xb5d17773 in H5G__stab_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565\r\n #17 0xb5ce2af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707\r\n #18 0xb5c67be2 in H5G_visit $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:1174\r\n #19 0xb6022f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1378\r\n #20 0x81bed2e in traverse $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:310\r\n #21 0x81c9df5 in h5trav_visit $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:1164\r\n #22 0x80cf9e3 in main $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:1623\r\n #23 0xb506ea82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #24 0x80cde74 in _start ($HOME/hdf5-1.8.16/memcheck/bin/h5stat+0x80cde74)\r\n\r\n0xb2b20758 is located 0 bytes to the right of 168-byte region [0xb2b206b0,0xb2b20758)\r\nallocated by thread T0 here:\r\n #0 0x80b6b8e in calloc ($HOME/hdf5-1.8.16/memcheck/bin/h5stat+0x80b6b8e)\r\n #1 0xb6093d5b in H5MM_calloc $HOME/hdf5-1.8.16/memcheck/src/../../src/H5MM.c:107\r\n #2 0xb6982712 in H5T__alloc $HOME/hdf5-1.8.16/memcheck/src/../../src/H5T.c:3462\r\n #3 0xb699d08c in H5T__array_create $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:192\r\n #4 0xb629b2e4 in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:352\r\n #5 0xb628d881 in H5O_dtype_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:1108\r\n #6 0xb6259fd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Oshared.h:84\r\n #7 0xb6335a5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:554\r\n #8 0xb63338a6 in H5O_msg_read $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:483\r\n #9 0xb57d3b96 in H5D__open_oid $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1245\r\n #10 0xb57d0df7 in H5D_open $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1153\r\n #11 0xb56763f9 in H5Dopen2 $HOME/hdf5-1.8.16/memcheck/src/../../src/H5D.c:368\r\n #12 0x80e0ecd in dataset_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:473\r\n #13 0x80d1d39 in obj_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:685\r\n #14 0x81d307d in traverse_cb $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:237\r\n #15 0xb5c6a66a in H5G_visit_cb $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:939\r\n #16 0xb5cbea72 in H5G__node_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026\r\n #17 0xb54b2c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175\r\n #18 0xb54b06db in H5B_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220\r\n #19 0xb5d17773 in H5G__stab_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565\r\n #20 0xb5ce2af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707\r\n #21 0xb5c67be2 in H5G_visit $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:1174\r\n #22 0xb6022f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1378\r\n #23 0x81bed2e in traverse $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:310\r\n #24 0x81c9df5 in h5trav_visit $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:1164\r\n #25 0x80cf9e3 in main $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:1623\r\n #26 0xb506ea82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:205 H5T__array_create\r\n```\r\n\r\n### Timeline\r\n* 2016-05-08 - Discovery \r\n* 2016-05-17 - Vendor Notification \r\n* 2016-11-15 - Public Disclosure \r\n\r\n### References\r\n* [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat\r\n* [2] http://www.hdfgroup.org/HDF5/", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability(CVE-2016-4333)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4333"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96651", "id": "SSV:96651", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:56:50", "description": "### Description\r\nHDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS.\r\n\r\nThe vulnerability exists when the library is decoding data out of a dataset encoded with the H5Z_NBIT decoding. When calculating the precision that a BCD number is encoded as, the library will fail to ensure that the precision is within the bounds of the size. Due to this, the library will calculate an index outside the bounds of the space allocated for the BCD number. Whilst decoding this data, the library will then write outside the bounds of the buffer leading to a heap-based buffer overflow. This can lead to code execution under the context of the application using the library.\r\n\r\n### Tested Versions\r\n* hdf5-1.8.16.tar.bz2\r\n* tools/h5ls: Version 1.8.16\r\n* tools/h5stat: Version 1.8.16\r\n* tools/h5dump: Version 1.8.16\r\n\r\n### Product Urls\r\n* http://www.hdfgroup.org/HDF5/\r\n* http://www.hdfgroup.org/HDF5/release/obtainsrc.html\r\n* http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\r\n\r\n### CVSSv3 Score\r\n8.6 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\r\n\r\n### Details\r\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\r\n\r\nWhen reading a dataset out of the file, the HDF5 library will call the following function, H5Dread. After allocating space for the buffer, the library will call an internal function H5Dread which will eventually call into H5Dchunk_lock. This function is responsible for reading the contents of the dataset into a cache that the application will later be able to access.\r\n```\r\nsrc/H5Dio.c:125\r\n\r\nherr_t\r\n\r\nH5Dread(hid_t dset_id, hid_t mem_type_id, hid_t mem_space_id,\r\n\r\n hid_t file_space_id, hid_t plist_id, void *buf/*out*/)\r\n\r\n{\r\n\r\n...\r\n\r\n /* read raw data */\r\n\r\n if(H5D__read(dset, mem_type_id, mem_space, file_space, plist_id, buf/*out*/) < 0)\r\n\r\n HGOTO_ERROR(H5E_DATASET, H5E_READERROR, FAIL, \"can't read data\")\r\n\r\n\r\n\r\nsrc/H5Dio.c:373\r\n\r\nherr_t\r\n\r\nH5D__read(H5D_t *dataset, hid_t mem_type_id, const H5S_t *mem_space,\r\n\r\n const H5S_t *file_space, hid_t dxpl_id, void *buf/*out*/)\r\n\r\n{\r\n\r\n...\r\n\r\n /* Invoke correct \"high level\" I/O routine */\r\n\r\n if((*io_info.io_ops.multi_read)(&io_info, &type_info, nelmts, file_space, mem_space, &fm) <\r\n0) // XXX: \\\r\n\r\n HGOTO_ERROR(H5E_DATASET, H5E_READERROR, FAIL, \"can't read data\")\r\n\r\n\r\n\r\n\\ ... src/H5Dchunk.c:1873\r\n\r\n /* Lock the chunk into the cache */\r\n\r\n if(NULL == (chunk = H5D__chunk_lock(io_info, &udata, FALSE)))\r\n\r\n HGOTO_ERROR(H5E_IO, H5E_READERROR, FAIL, \"unable to read raw data chunk\")\r\n```\r\n\r\nOnce chunklock is read, the library will call into it's pipeline to determine how it can decode the data. This happens by calling H5Zpipeline. Inside H5Z_pipeline, the library will determine what kind of filter to choose and then call the \"filter\" method from a data structure that contains methods or handlers that deal with the specific encoding type.\r\n```\r\nsrc/H5Dchunk.c:2808\r\n\r\nvoid *\r\n\r\nH5D__chunk_lock(const H5D_io_info_t *io_info, H5D_chunk_ud_t *udata,\r\n\r\n hbool_t relax)\r\n\r\n{\r\n\r\n\r\n\r\n if(H5Z_pipeline(pline, H5Z_FLAG_REVERSE, &(udata->filter_mask), io_info->dxpl_cache-\r\n>err_detect, // XXX: \\\r\n\r\n io_info->dxpl_cache->filter_cb, &chunk_alloc, &chunk_alloc, &chunk) < 0)\r\n\r\n HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, NULL, \"data pipeline read failed\")\r\n\r\n H5_CHECKED_ASSIGN(udata->nbytes, uint32_t, chunk_alloc, size_t);\r\n\r\n\\\r\n\r\nsrc/H5Z.c:1285\r\n\r\nherr_t\r\n\r\nH5Z_pipeline(const H5O_pline_t *pline, unsigned flags,\r\n\r\n unsigned *filter_mask/*in,out*/, H5Z_EDC_t edc_read,\r\n\r\n H5Z_cb_t cb_struct, size_t *nbytes/*in,out*/,\r\n\r\n size_t *buf_size/*in,out*/, void **buf/*in,out*/)\r\n\r\n{\r\n\r\n\r\n\r\n\r\n\r\n tmp_flags=flags|(pline->filter[idx].flags);\r\n\r\n tmp_flags|=(edc_read== H5Z_DISABLE_EDC) ? H5Z_FLAG_SKIP_EDC : 0;\r\n\r\n new_nbytes = (fclass->filter)(tmp_flags, pline->filter[idx].cd_nelmts, // XXX: calls\r\nH5Z_filter_nbit\r\n\r\n pline->filter[idx].cd_values, *nbytes, buf_size, buf);\r\n```\r\n\r\nWhen handling data encoded with the nbit encoding type, the library will call H5Zfilternbit. This function will take inputs from the file and use it to calculate the amount of space required to decode the encoded data. This is done by taking the number of elements and multiplying it by the size of elements. With the provided proof of concept, the size is 4 and the number of elements is 12. This results in a buffer size of 48 bytes.\r\n```\r\nsrc/H5Znbit.c:865\r\n\r\nstatic size_t\r\n\r\nH5Z_filter_nbit(unsigned flags, size_t cd_nelmts, const unsigned cd_values[],\r\n\r\n size_t nbytes, size_t *buf_size, void **buf)\r\n\r\n{\r\n\r\n\r\n\r\n /* copy a filter parameter to d_nelmts */\r\n\r\n d_nelmts = cd_values[2]; // XXX: number of elements\r\n\r\n\r\n\r\n /* input; decompress */\r\n\r\n if(flags & H5Z_FLAG_REVERSE) {\r\n\r\n size_out = d_nelmts * cd_values[4]; /* cd_values[4] stores datatype size */ // XXX:\r\nsize of elements\r\n\r\n\r\n\r\n /* allocate memory space for decompressed buffer */\r\n\r\n if(NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out))) // XXX:\r\nseems to be 0x30\r\n\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, 0, \"memory allocation failed for nbit\r\ndecompression\")\r\n\r\n\r\n\r\n /* decompress the buffer */\r\n\r\n H5Z_nbit_decompress(outbuf, d_nelmts, (unsigned char *)*buf, cd_values); // XXX:\r\ndecompress data into outbuf\r\n```\r\n\r\nWhen entering the H5ZNBITATOMIC case, the library copy input from the file into a structure that gets passed to H5Znbitdecompressoneatomic. This loop will iterate for the number of elements that were stored in the dataset. The field that is used later to write outside the buffer allocated in the prior snippet is used to determine the precision of a binary-coded-decimal number.\r\n```\r\nsrc/H5Znbit.c:1140\r\n\r\nstatic void\r\n\r\nH5Z_nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,\r\n\r\n const unsigned parms[])\r\n\r\n{\r\n\r\n\r\n\r\n switch(parms[3]) {\r\n\r\n case H5Z_NBIT_ATOMIC:\r\n\r\n /* set the index before goto function call */\r\n\r\n p.size = parms[4];\r\n\r\n p.order = parms[5];\r\n\r\n p.precision = parms[6]; // XXX: used later\r\n\r\n p.offset = parms[7];\r\n\r\n for(i = 0; i < d_nelmts; i++) {\r\n\r\n H5Z_nbit_decompress_one_atomic(data, i*p.size, buffer, &j, &buf_len, p);\r\n\r\n }\r\n\r\n break;\r\n```\r\n\r\nOnce inside H5Znbitdecompressoneatomic, the library will use the value of p.precision to calculate the index into the buffer that was allocated. Due to a lack of bounds-checking, this index will allow for a loop that is executed later to write outside the bounds of the buffer. If precision is larger than datatype_len, then the index can be made to overflow.\r\n```\r\nsrc/H5Znbit.c:1012\r\n\r\nstatic void\r\n\r\nH5Z_nbit_decompress_one_atomic(unsigned char *data, size_t data_offset,\r\n\r\n unsigned char *buffer, size_t *j, int *buf_len, parms_atomic p)\r\n\r\n{\r\n\r\n /* begin_i: the index of byte having first significant bit\r\n\r\n end_i: the index of byte having last significant bit */\r\n\r\n int k, begin_i, end_i, datatype_len;\r\n\r\n\r\n\r\n datatype_len = p.size * 8;\r\n\r\n\r\n\r\n if(p.order == H5Z_NBIT_ORDER_BE) { /* big endian */\r\n\r\n /* calculate begin_i and end_i */\r\n\r\n begin_i = (datatype_len - p.precision - p.offset) / 8; // XXX: p.precision is used here to calculate begin_i\r\n\r\n if(p.offset % 8 != 0)\r\n\r\n end_i = (datatype_len - p.offset) / 8;\r\n\r\n else\r\n\r\n end_i = (datatype_len - p.offset) / 8 - 1;\r\n\r\n\r\n\r\n for(k = begin_i; k <= end_i; k++)\r\n\r\n H5Z_nbit_decompress_one_byte(data, data_offset, k, begin_i, end_i, // XXX: k == begin_i\r\n\r\n buffer, j, buf_len, p, datatype_len);\r\n\r\n\r\n\r\nIt is within H5Z_nbit_decompress_one_byte that the library will write outside it's bounds. Due to the value of begin_i pointing outside the buffer, this can be used to trigger a buffer overflow and overwrite adjacent data. This is a heap-based buffer overflow and can lead to code execution within the context of the library.\r\n\r\n\r\n\r\nsrc/H5Znbit.c:943\r\n\r\nstatic void\r\n\r\nH5Z_nbit_decompress_one_byte(unsigned char *data, size_t data_offset, int k,\r\n\r\n int begin_i, int end_i, unsigned char *buffer, size_t *j, int *buf_len,\r\n\r\n parms_atomic p, int datatype_len)\r\n\r\n{\r\n\r\n\r\n\r\n data[data_offset + k] = // XXX: data_offset + k points\r\noutside of data\r\n\r\n ((val & ~(~0 << *buf_len)) << (dat_len - *buf_len)) << uchar_offset;\r\n```\r\n\r\n### Crash Analysis\r\n```\r\n$ gdb --directory ~/build/hdf5-1.8.16/release/bin -q --args ~/build/hdf5-1.8.16/release/bin/h5dump 00015\r\n\r\n8.hdf\r\n\r\nReading symbols from /home/vrt/build/hdf5-1.8.16/release/bin/h5dump...done.\r\n\r\n(gdb) bp H5Znbit.c:896\r\n\r\nBreakpoint 3 at 0x8269e94: file ../../src/H5Znbit.c, line 896.\r\n\r\n(gdb) bp H5Znbit.c:1162\r\n\r\nBreakpoint 4 at 0x8269f09: file ../../src/H5Znbit.c, line 1162.\r\n\r\n(gdb) bp H5Znbit.c:1030\r\n\r\nBreakpoint 5 at 0x8269549: file ../../src/H5Znbit.c, line 1030.\r\n\r\n(gdb) r\r\n\r\n\r\n\r\nBreakpoint 3, H5Z_filter_nbit (flags=0x101, cd_nelmts=0x8, cd_values=0x848db88, nbytes=0x1f, buf_size=0xbfffbc7c, buf=0xbfffbc38) at ../../src/H5Znbit.c:896\r\n\r\n896 if(NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out)))\r\n\r\n(gdb) p size_out\r\n\r\n$6 = 0x0\r\n\r\n(gdb) c\r\n\r\nContinuing.\r\n\r\n\r\n\r\nBreakpoint 4, H5Z_nbit_decompress (parms=0x848db88, buffer=0x8498530 \":\\252\\263\u00ca\u00ab>\", d_nelmts=0xc, data=0x8498558 \"\") at ../../src/H5Znbit.c:1162\r\n\r\n1162 p.precision = parms[6];\r\n\r\n(gdb) c\r\n\r\nContinuing.\r\n\r\n\r\n\r\nBreakpoint 5, H5Z_nbit_decompress_one_atomic (data=data@entry=0x8498558 \"\", data_offset=0x0, buffer=buffer@entry=0x8498530 \":\\252\\263\u00ca\u00ab>\", j=j@entry=0xbfffbb08, buf_len=buf_len@entry=0xbfffbb0c, p=...) at ../../src/H5Znbit.c:1030\r\n\r\n1030 for(k = begin_i; k >= end_i; k--)\r\n\r\n(gdb) p k\r\n\r\n$7 = 0x2003\r\n\r\n(gdb) c\r\n\r\nContinuing.\r\n\r\n\r\n\r\nCatchpoint 2 (signal SIGSEGV), 0x082695ff in H5Z_nbit_decompress_one_byte (datatype_len=0x20, buf_len=0xbfffbb0c, j=0xbfffbb08, buffer=0x8498530 \":\\252\\263\u00ca\u00ab>\", end_i=0x0, begin_i=0x2003, k=0x557, data_offset=<optimized out>, data=<optimized out>, p=...) at ../../src/H5Znbit.c:983\r\n\r\n983 ((val >> (*buf_len - dat_len)) & ~(~0 << dat_len)) << uchar_offset;\r\n\r\n\r\n\r\n###Crash Analysis (Address Sanitizer)\r\n\r\n=================================================================\r\n\r\n==2374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3519a53 at pc 0xb74003af bp 0xbfcd6c38 sp 0xbfcd6c30\r\n\r\nWRITE of size 1 at 0xb3519a53 thread T0\r\n\r\n #0 0xb74003ae in H5Z_nbit_decompress_one_byte /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:975\r\n\r\n #1 0xb73f7a71 in H5Z_nbit_decompress_one_atomic /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:1031\r\n\r\n #2 0xb73e96ac in H5Z_nbit_decompress /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:1165\r\n\r\n #3 0xb73e783f in H5Z_filter_nbit /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:900\r\n\r\n #4 0xb73ccfd6 in H5Z_pipeline /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Z.c:1360\r\n\r\n #5 0xb568fc12 in H5D__chunk_lock /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dchunk.c:2903\r\n\r\n #6 0xb5673334 in H5D__chunk_read /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dchunk.c:1874\r\n\r\n #7 0xb57bb68d in H5D__read /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dio.c:550\r\n\r\n #8 0xb57b5813 in H5Dread /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dio.c:172\r\n\r\n #9 0x81e9cf3 in h5tools_dump_simple_dset /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:1619\r\n\r\n #10 0x81e543d in h5tools_dump_dset /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:1790\r\n\r\n #11 0x821316a in h5tools_dump_data /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:3859\r\n\r\n #12 0x81045ca in dump_dataset /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:1053\r\n\r\n #13 0x80f5da3 in dump_all_cb /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:358\r\n\r\n #14 0xb5c1669a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:782\r\n\r\n #15 0xb5c71a72 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026\r\n\r\n #16 0xb5465c85 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175\r\n\r\n #17 0xb54636db in H5B_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220\r\n\r\n #18 0xb5cca773 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565\r\n\r\n #19 0xb5c95af2 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707\r\n\r\n #20 0xb5c14ba9 in H5G_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:843\r\n\r\n #21 0xb5fcdb47 in H5Literate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1182\r\n\r\n #22 0x80f1609 in link_iteration /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:608\r\n\r\n #23 0x8100596 in dump_group /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:890\r\n\r\n #24 0x80d3345 in main /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump.c:1542\r\n\r\n #25 0xb5021a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n\r\n #26 0x80cec04 in _start (/home/vrt/build/hdf5-1.8.16/memcheck/bin/h5dump+0x80cec04)\r\n\r\n\r\n\r\nAddressSanitizer can not describe address in more detail (wild memory access suspected).\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:975 H5Z_nbit_decompress_one_byte\r\n```\r\n### Timeline\r\n* 2016-05-17 - Vendor Notification \r\n* 2016-11-15 - Public Disclosure \r\n\r\n### References\r\n* [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat\r\n* [2] http://www.hdfgroup.org/HDF5/", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability(CVE-2016-4331)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4331"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96653", "id": "SSV:96653", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:56:58", "description": "### Description\r\nHDF5 is a fileformat that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS. The vulnerability exists due to the library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.\r\n\r\n### Tested Versions\r\n* hdf5-1.8.16.tar.bz2\r\n* tools/h5ls: Version 1.8.16\r\n* tools/h5stat: Version 1.8.16\r\n* tools/h5dump: Version 1.8.16\r\n\r\n### Product Urls\r\n* http://www.hdfgroup.org/HDF5/\r\n* http://www.hdfgroup.org/HDF5/release/obtainsrc.html\r\n* http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\r\n\r\n### CVSSv3 Score\r\n8.6 -- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\r\n\r\n### Details\r\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These datastructures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a filesystem, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\r\n\r\nWithin the HDF file format, paths can be specified as the '/'-separated posix format. When reading a dataset, the library will open the object using H5Dopenoid. Inside this function, the library will read the type and it's location. Once the type and it's location are read, then the library will pass the H5ODTYPEID value onto H5Omsg_read.\r\n```\r\nsrc/H5Dint.c:1221\r\n\r\nstatic herr_t\r\n\r\nH5D__open_oid(H5D_t *dataset, hid_t dapl_id, hid_t dxpl_id)\r\n\r\n{\r\n\r\n\r\n\r\n /* Open the dataset object */\r\n\r\n if(H5O_open(&(dataset->oloc)) < 0)\r\n\r\n HGOTO_ERROR(H5E_DATASET, H5E_CANTOPENOBJ, FAIL, \"unable to open\")\r\n\r\n\r\n\r\n /* Get the type and space */\r\n\r\n if(NULL == (dataset->shared->type = (H5T_t *)H5O_msg_read(&(dataset->oloc), H5O_DTYPE_ID, NULL, dxpl_id))) // XXX: \\\r\n\r\n HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, \"unable to load type info from dataset header\")\r\n\r\n\\\r\n\r\nsrc/H5Omessage.c:463\r\n\r\nvoid *\r\n\r\nH5O_msg_read(const H5O_loc_t *loc, unsigned type_id, void *mesg,\r\n\r\n hid_t dxpl_id)\r\n\r\n{\r\n\r\n H5O_t *oh = NULL; /* Object header to use */\r\n\r\n void *ret_value; /* Return value */\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n /* Get the object header */\r\n\r\n if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ)))\r\n\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, NULL, \"unable to protect object header\")\r\n\r\n\r\n\r\n /* Call the \"real\" read routine */\r\n\r\n if(NULL == (ret_value = H5O_msg_read_oh(loc->file, dxpl_id, oh, type_id, mesg))) // XXX: read the message from the object header\r\n\r\n HGOTO_ERROR(H5E_OHDR, H5E_READERROR, NULL, \"unable to read object header message\")\r\n```\r\n\r\nInside H5Omsgreadoh, the application will use the typeid argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5OLOADNATIVE at H5Omessage.c:545\r\n```\r\nsrc/H5Omessage.c:517\r\n\r\nvoid *\r\n\r\nH5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id,\r\n\r\n void *mesg)\r\n\r\n{\r\n\r\n const H5O_msg_class_t *type; /* Actual H5O class type for the ID */\r\n\r\n unsigned idx; /* Message's index in object header */\r\n\r\n void *ret_value = NULL;\r\n\r\n\r\n\r\n for(idx = 0; idx < oh->nmesgs; idx++)\r\n\r\n if(type == oh->mesg[idx].type)\r\n\r\n break;\r\n\r\n\r\n\r\n H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\r\n```\r\n\r\nInside the H5OLOADNATIVE macro, the application will select a structure containing function pointers out of the msg->type field. This structure contains various functions that are used to decode the message. When decoding a msg of type H5ODTYPEID, the library will dispatch into the H5Odtypeshareddecode function. This function will eventually call H5Odtypedecode. Inside H5Odtypedecode, the library will first allocate space using the call `H5T__alloc`. Afterwards, execution will continue onto H5Odtypedecodehelper which is responsible for decoding the datatypes.\r\n```\r\nsrc/H5Oshared.h:50\r\n\r\nstatic H5_INLINE void *\r\n\r\nH5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags,\r\n\r\n unsigned *ioflags, const uint8_t *p)\r\n\r\n{\r\n\r\n\r\n\r\n /* Decode native message directly */\r\n\r\n if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p))) // XXX: \\\r\n\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, \"unable to decode native message\")\r\n\r\n } /* end else */\r\n\r\n\\\r\n\r\nsrc/H5Odtype.c:1091\r\n\r\nstatic void *\r\n\r\nH5O_dtype_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,\r\n\r\n unsigned *ioflags/*in,out*/, const uint8_t *p)\r\n\r\n{\r\n\r\n\r\n\r\n /* Allocate datatype message */\r\n\r\n if(NULL == (dt = H5T__alloc()))\r\n\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\r\n\r\n\r\n\r\n /* Perform actual decode of message */\r\n\r\n if(H5O_dtype_decode_helper(f, ioflags, &p, dt) < 0)\r\n\r\n HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, \"can't decode type\")\r\n\r\n\r\n\r\nInside H5T__alloc, the library will allocate space for an H5T_shared_t object. This structure is defined within H5Tpkg.h at line 288. The vulnerability is due to the definition of the H5T_array_t field within the union u. The H5T_array_t structure defines an H5S_MAX_RANK element array of size_t fields. Defined in src/H5public.h:31, this length is 32.\r\n\r\n\r\n\r\nsrc/H5T.c:3446\r\n\r\nH5T_t *\r\n\r\nH5T__alloc(void)\r\n\r\n{\r\n\r\n\r\n\r\n /* Allocate & initialize shared datatype structure */\r\n\r\n if(NULL == (dt->shared = H5FL_CALLOC(H5T_shared_t))) // XXX: sizeof(H5T_shared_t)\r\n\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\r\n\r\n\r\n\r\nsrc/H5Spublic.h:31\r\n\r\n#define H5S_MAX_RANK 32\r\n\r\n\r\n\r\nsrc/H5Tpkg.h:288\r\n\r\ntypedef struct H5T_shared_t {\r\n\r\n\r\n\r\n union {\r\n\r\n\r\n\r\n H5T_array_t array; /* an array datatype */\r\n\r\n } u;\r\n\r\n} H5T_shared_t;\r\n\r\n\r\n\r\nsrc/H5Tpkg.h:273\r\n\r\ntypedef struct H5T_array_t {\r\n\r\n size_t nelem; /* total number of elements in array */\r\n\r\n unsigned ndims; /* member dimensionality */\r\n\r\n size_t dim[H5S_MAX_RANK]; /* size in each dimension */ // XXX: maximum of 32\r\n\r\n} H5T_array_t;\r\n```\r\n\r\nAfter allocating space for the H5Tarrayt, the library will return back to H5Odtypedecode which will then execute the function H5Odtypedecodehelper. When entering the case H5TARRAY, the library will read the number of dimensions from the file and then check that it's valid via an assertion. Due to an assertion being only enabled when the application is compiled in debug-mode, this check will get optimized out by the preprocessor. Immediately following, the library will enter a loop that reads DWORDs from the file into the H5Tarrayt.dim field. If the value of u.array.ndims is larger than 32, then this loop will read data outside the bounds of the H5Tarrayt that was allocated earlier. This will lead to heap corruption and can lead to code execution under the context of the application using the library.\r\n```\r\nsrc/H5Odtype.c:133\r\n\r\nstatic htri_t\r\n\r\nH5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags/*in,out*/, const uint8_t **pp, H5T_t *dt)\r\n\r\n{\r\n\r\n\r\n\r\n case H5T_ARRAY: /* Array datatypes */\r\n\r\n /* Decode the number of dimensions */\r\n\r\n dt->shared->u.array.ndims = *(*pp)++;\r\n\r\n\r\n\r\n /* Double-check the number of dimensions */\r\n\r\n HDassert(dt->shared->u.array.ndims <= H5S_MAX_RANK);\r\n\r\n\r\n\r\n /* Decode array dimension sizes & compute number of elements */\r\n\r\n for(i = 0, dt->shared->u.array.nelem = 1; i < (unsigned)dt->shared->u.array.ndims; i++) {\r\n\r\n UINT32DECODE(*pp, dt->shared->u.array.dim[i]);\r\n\r\n dt->shared->u.array.nelem *= dt->shared->u.array.dim[i];\r\n\r\n } /* end for */\r\n```\r\n### Crash Analysis\r\n```\r\n$ gdb -q --args bin/h5stat poc.hdf\r\n\r\nNo symbol table is loaded. Use the \"file\" command.\r\n\r\nReading symbols from $HOME/hdf5-1.8.16/release/bin/h5stat...done.\r\n\r\n(gdb) bp H5Odtype.c:518\r\n\r\nBreakpoint 3 at 0x8147cb0: file ../../src/H5Odtype.c, line 518.\r\n\r\n(gdb) bp H5Odtype.c:528 i < 0x1f\r\n\r\nBreakpoint 4 at 0x8147cc9: file ../../src/H5Odtype.c, line 528.\r\n\r\n(gdb) r\r\n\r\nStarting program: $HOME/hdf5-1.8.16/release/bin/h5stat poc.hdf\r\n\r\nFilename: poc.hdf\r\n\r\n\r\n\r\nBreakpoint 3, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:518\r\n\r\n518 dt->shared->u.array.ndims = *(*pp)++;\r\n\r\n(gdb) n\r\n\r\n524 if(version < H5O_DTYPE_VERSION_3)\r\n\r\n(gdb) n\r\n\r\n518 dt->shared->u.array.ndims = *(*pp)++;\r\n\r\n(gdb) n\r\n\r\n524 if(version < H5O_DTYPE_VERSION_3)\r\n\r\n(gdb) p dt->shared->u.array.ndims\r\n\r\n$1 = 0x69\r\n\r\n(gdb) c\r\n\r\nContinuing.\r\n\r\n\r\n\r\n*** Error in `$HOME/hdf5-1.8.16/release/bin/h5stat': free(): invalid pointer: 0x083f21e1 ***\r\n\r\n\r\n\r\nCatchpoint 2 (signal SIGABRT), 0xb7ffecb0 in ?? ()\r\n\r\n(gdb)\r\n\r\n\r\n\r\n### Crash Analysis (Address Sanitizer)\r\n\r\n=================================================================\r\n\r\n==2398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2b20938 at pc 0xb626a9fe bp 0xbfb6d5d8 sp 0xbfb6d5d0\r\n\r\nWRITE of size 4 at 0xb2b20938 thread T0\r\n\r\n #0 0xb626a9fd in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:529\r\n\r\n #1 0xb6252881 in H5O_dtype_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:1108\r\n\r\n #2 0xb621efd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Oshared.h:84\r\n\r\n #3 0xb62faa5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:554\r\n\r\n #4 0xb62f88a6 in H5O_msg_read $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:483\r\n\r\n #5 0xb5798b96 in H5D__open_oid $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1245\r\n\r\n #6 0xb5795df7 in H5D_open $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1153\r\n\r\n #7 0xb563b3f9 in H5Dopen2 $HOME/hdf5-1.8.16/asan/src/../../src/H5D.c:368\r\n\r\n #8 0x825351d in find_objs_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:580\r\n\r\n #9 0x8270c4d in traverse_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:237\r\n\r\n #10 0xb5c2f66a in H5G_visit_cb $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:939\r\n\r\n #11 0xb5c83a72 in H5G__node_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\r\n\r\n #12 0xb5477c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\r\n\r\n #13 0xb54756db in H5B_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\r\n\r\n #14 0xb5cdc773 in H5G__stab_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\r\n\r\n #15 0xb5ca7af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\r\n\r\n #16 0xb5c2cbe2 in H5G_visit $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:1174\r\n\r\n #17 0xb5fe7f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/asan/src/../../src/H5L.c:1378\r\n\r\n #18 0x825c8fe in traverse $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:310\r\n\r\n #19 0x82679c5 in h5trav_visit $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\r\n\r\n #20 0x82522c4 in init_objs $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:655\r\n\r\n #21 0x80cf3b7 in table_list_add $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:408\r\n\r\n #22 0x80d12c1 in main $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:1470\r\n\r\n #23 0xb5033a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n\r\n #24 0x80cec04 in _start ($HOME/hdf5-1.8.16/asan/bin/h5dump+0x80cec04)\r\n\r\n\r\n\r\n0xb2b20938 is located 0 bytes to the right of 168-byte region [0xb2b20890,0xb2b20938)\r\n\r\nallocated by thread T0 here:\r\n\r\n #0 0x80b791e in calloc ($HOME/hdf5-1.8.16/asan/bin/h5dump+0x80b791e)\r\n\r\n #1 0xb6058d5b in H5MM_calloc $HOME/hdf5-1.8.16/asan/src/../../src/H5MM.c:107\r\n\r\n #2 0xb6947712 in H5T__alloc $HOME/hdf5-1.8.16/asan/src/../../src/H5T.c:3462\r\n\r\n #3 0xb62523b8 in H5O_dtype_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:1104\r\n\r\n #4 0xb621efd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Oshared.h:84\r\n\r\n #5 0xb62faa5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:554\r\n\r\n #6 0xb62f88a6 in H5O_msg_read $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:483\r\n\r\n #7 0xb5798b96 in H5D__open_oid $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1245\r\n\r\n #8 0xb5795df7 in H5D_open $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1153\r\n\r\n #9 0xb563b3f9 in H5Dopen2 $HOME/hdf5-1.8.16/asan/src/../../src/H5D.c:368\r\n\r\n #10 0x825351d in find_objs_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:580\r\n\r\n #11 0x8270c4d in traverse_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:237\r\n\r\n #12 0xb5c2f66a in H5G_visit_cb $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:939\r\n\r\n #13 0xb5c83a72 in H5G__node_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\r\n\r\n #14 0xb5477c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\r\n\r\n #15 0xb54756db in H5B_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\r\n\r\n #16 0xb5cdc773 in H5G__stab_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\r\n\r\n #17 0xb5ca7af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\r\n\r\n #18 0xb5c2cbe2 in H5G_visit $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:1174\r\n\r\n #19 0xb5fe7f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/asan/src/../../src/H5L.c:1378\r\n\r\n #20 0x825c8fe in traverse $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:310\r\n\r\n #21 0x82679c5 in h5trav_visit $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\r\n\r\n #22 0x82522c4 in init_objs $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:655\r\n\r\n #23 0x80cf3b7 in table_list_add $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:408\r\n\r\n #24 0x80d12c1 in main $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:1470\r\n\r\n #25 0xb5033a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:529 H5O_dtype_decode_helper\r\n```\r\n### Timeline\r\n* 2016-05-08 - Discovery\r\n* 2016-05-17 - Vendor Notification\r\n* 2016-11-15 - Public Disclosure\r\n\r\n### References\r\n* [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat\r\n* [2] http://www.hdfgroup.org/HDF5/", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability(CVE-2016-4330)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4330"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96654", "id": "SSV:96654", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:56:51", "description": "### Description\r\nHDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS.\r\n\r\nThe vulnerability exists due to the library's failure to check if certain message types support a particular flag. When this flag is set, the library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type. Due to the message type not being able to support this flag, the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library.\r\n### Tested Versions\r\n\r\n* hdf5-1.8.16.tar.bz2\r\n* tools/h5ls: Version 1.8.16<br>\r\n* tools/h5stat: Version 1.8.16<br>\r\n* tools/h5dump: Version 1.8.16<br>\r\n\r\n### Product Urls\r\nhttp://www.hdfgroup.org/HDF5/\r\nhttp://www.hdfgroup.org/HDF5/release/obtainsrc.html\r\nhttp://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\r\n\r\n### CVSSv3 Score\r\n8.6 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\r\n\r\n### Details\r\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\r\n\r\nWithin the HDF file format, paths can be specified as the '/'-separated posix format. When iterating through the contents of a group, for each object the library will first populate an H5Gloct structure with information about the object's location. Immediately afterwards, the library will fetch the metadata for the object using H5Ogetinfo. This is done by the following code located within src/H5O.c\r\n```\r\nsrc/H5O.c:3280\r\n/* Find the object's location */\r\nif(H5G_loc_find(&loc, obj_name, &obj_loc/*out*/, lapl_id, dxpl_id) < 0) //\r\nXXX: assign location info about the object\r\n HGOTO_ERROR(H5E_OHDR, H5E_NOTFOUND, FAIL, \"object not found\")\r\nloc_found = TRUE;\r\n\r\n/* Get the object's info */\r\nif(H5O_get_info(&obj_oloc, dxpl_id, TRUE, &oinfo) < 0) // XXX: get\r\nmetadata information about the object\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, \"unable to get object info\")\r\n```\r\n\r\nAfter reading the header of the object's information into the \"oh\" variable, the library will use this information to store the object class. A little bit later, the library will use the version to determine how to process some of the attributes associated with the object. If the object's version is H5OVERSION1, the library will then call H5Omsgreadoh. This function will iterate through each of the message types in order to determine how to process them. The type that's specified is H5OMTIMEID which gets passed to H5Omsgreadoh.\r\n```\r\nsrc/H5O.c:2776\r\nherr_t\r\nH5O_get_info(const H5O_loc_t *loc, hid_t dxpl_id, hbool_t want_ih_info,\r\n H5O_info_t *oinfo)\r\n{\r\n...\r\n /* Get the object header */\r\n if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ))) // XXX: read\r\nobject header from file\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, FAIL, \"unable to load object header\")\r\n...\r\n if(NULL == (obj_class = H5O_obj_class_real(oh)))\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, \"unable to determine object\r\nclass\")\r\n...\r\n if(oh->version > H5O_VERSION_1) {\r\n...\r\n } /* end if */\r\n else {\r\n...\r\n if((exists = H5O_msg_exists_oh(oh, H5O_MTIME_ID)) < 0)\r\n HGOTO_ERROR(H5E_OHDR, H5E_NOTFOUND, FAIL, \"unable to check for MTIME\r\nmessage\")\r\n if(exists > 0) {\r\n /* Get \"old style\" modification time info */\r\n if(NULL == H5O_msg_read_oh(loc->file, dxpl_id, oh, H5O_MTIME_ID,\r\n&oinfo->ctime)) // XXX: call message decode\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, \"can't read MTIME\r\nmessage\")\r\n```\r\n\r\nInside H5Omsgreadoh, the application will use the typeid argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5OLOADNATIVE at H5Omessage.c:545\r\n```\r\nsrc/H5Omessage.c:517\r\nvoid *\r\nH5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id,\r\n void *mesg)\r\n{\r\n const H5O_msg_class_t *type; /* Actual H5O class type for the ID */\r\n unsigned idx; /* Message's index in object header */\r\n void *ret_value = NULL;\r\n...\r\n for(idx = 0; idx < oh->nmesgs; idx++)\r\n if(type == oh->mesg[idx].type)\r\n break;\r\n...\r\n H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\r\n```\r\n\r\nInside the H5OLOADNATIVE macro, the application will select a structure containing function pointers out of the msg->type field. This structure contains various functions that are used to decode the message. After calling the decode method, the library will check to see if the H5OMSGFLAGSHAREABLE flag is set. If this flag is set then the macro H5OUPDATE_SHARED is used to write into the pointer returned by the decode function.\r\n```\r\nsrc/H5Opkg.h:184\r\n/* Load native information for a message, if it's not already present */\r\n/* (Only works for messages with decode callback) */\r\n#define H5O_LOAD_NATIVE(F, DXPL, IOF, OH, MSG, ERR) \\\r\n if(NULL == (MSG)->native) { \\\r\n const H5O_msg_class_t *msg_type = (MSG)->type; \\\r\n unsigned ioflags = (IOF); \\\r\n \\\r\n /* Decode the message */ \\\r\n HDassert(msg_type->decode); \\\r\n if(NULL == ((MSG)->native = (msg_type->decode)((F), (DXPL), (OH), (MSG)-\r\n>flags, &ioflags, (MSG)->raw))) \\\r\n HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, ERR, \"unable to decode\r\nmessage\") \\\r\n \\\r\n...\r\n \\\r\n if((MSG)->flags & H5O_MSG_FLAG_SHAREABLE) { \\\r\n H5O_UPDATE_SHARED((H5O_shared_t *)(MSG)->native, H5O_SHARE_TYPE_HERE,\r\n(F), msg_type->id, (MSG)->crt_idx, (OH)->chunk[0].addr) \\\r\n } /* end if */\r\n\\\r\n```\r\n\r\nInside the decode function for the H5OMTIMEID structure, the application will make an allocation that is the size of a time_t field. This is located within src/H5Omtime.c:174.\r\n```\r\nsrc/H5Omtime.c:174\r\nstatic void *\r\nH5O_mtime_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t\r\nH5_ATTR_UNUSED *open_oh,\r\n unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const\r\nuint8_t *p)\r\n{\r\n time_t *mesg, the_time;\r\n int i;\r\n struct tm tm;\r\n void *ret_value = NULL; /* Return value */\r\n...\r\n if(NULL == (mesg = H5FL_MALLOC(time_t)))\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\r\n *mesg = the_time;\r\n\r\n /* Set return value */\r\n ret_value = mesg;\r\n\r\ndone:\r\n FUNC_LEAVE_NOAPI(ret_value)\r\n} /* end H5O_mtime_decode() */\r\n```\r\n\r\nAfter allocating space for the timet structure, the application will return back to the H5OLOADNATIVE macro. Once this is returned, the application will check to see if the flags have the H5OMSGFLAGSHAREABLE bit set. If so, the application will mis-cast the pointer to the timet structure to an H5Osharedt, and then try to write to it using the H5OUPDATE_SHARED macro.\r\n```\r\nsrc/H5Opkg.h:203\r\n if((MSG)->flags & H5O_MSG_FLAG_SHAREABLE) { \\\r\n H5O_UPDATE_SHARED((H5O_shared_t *)(MSG)->native, H5O_SHARE_TYPE_HERE,\r\n(F), msg_type->id, (MSG)->crt_idx, (OH)->chunk[0].addr) \\\r\n } /* end if */ \\\r\n\\\r\nsrc/H5Oprivate.h:114\r\n#define H5O_UPDATE_SHARED(SH_MESG, SH_TYPE, F, MSG_TYPE, CRT_IDX, OH_ADDR) \\\r\n { \\\r\n (SH_MESG)->type = (SH_TYPE); \\\r\n (SH_MESG)->file = (F); \\\r\n (SH_MESG)->msg_type_id = (MSG_TYPE); \\\r\n (SH_MESG)->u.loc.index = (CRT_IDX); \\\r\n (SH_MESG)->u.loc.oh_addr = (OH_ADDR); \\\r\n } /* end block */\r\n```\r\n\r\nDue to the H5Osharedt being larger than the size of a timet, the H5OUPDATESHARED macro will write outside the bounds of the timet structure that was allocated by H5Omtimedecode. This will corrupt adjacent metadata in the heap, and can be used to corrupt more of the state of the application which can lead to code execution under the context of the application using the library. This H5Osharedt structure is listed below.\r\n```\r\nsrc/H5Oprivate.h:230\r\ntypedef struct H5O_shared_t {\r\n unsigned type; /* Type describing how message is shared\r\n*/\r\n H5F_t *file; /* File that message is located within */\r\n unsigned msg_type_id; /* Message's type ID */\r\n union {\r\n H5O_mesg_loc_t loc; /* Object location info */\r\n H5O_fheap_id_t heap_id; /* ID within the SOHM heap */\r\n } u;\r\n} H5O_shared_t;\r\n```\r\n\r\nThis vulnerable pattern also occurs while decoding two other messages. These two messages are the H5OMTIMENEWID which calls H5Omtimenewdecode, and H5OSTABID which calls H5Ostabdecode. H5Omtimenewdecode, in the following snippet, is also used to allocate a timet structure that is smaller than an H5Osharedt which can be used to trigger a similar style of overwrite.\r\n```\r\nsrc/H5Omtime.c:121\r\nstatic void *\r\nH5O_mtime_new_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t\r\nH5_ATTR_UNUSED *open_oh,\r\n unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const\r\nuint8_t *p)\r\n{\r\n...\r\n /* The return value */\r\n if (NULL==(mesg = H5FL_MALLOC(time_t)))\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\");\r\n *mesg = (time_t)tmp_time;\r\n\r\n /* Set return value */\r\n ret_value=mesg;\r\n\r\ndone:\r\n FUNC_LEAVE_NOAPI(ret_value)\r\n} /* end H5O_mtime_new_decode() */\r\n```\r\n\r\nThe other message, H5OSTABID, which uses H5Ostabdecode uses the following H5Ostabt structure. Due to the library mis-casting this structure to an H5Osharedt, the library will write outside the bounds of the allocation of the H5Ostabt.\r\n```\r\nsrc/H5Oprivate.h:531\r\ntypedef struct H5O_stab_t {\r\n haddr_t btree_addr; /*address of B-tree */\r\n haddr_t heap_addr; /*address of name heap */\r\n} H5O_stab_t;\r\n```\r\n\r\nSimilarly, the library will use H5FLCALLOC(H5Ostab_t) to allocate space for the structure that gets overwritten.\r\n```\r\nsrc/H5Ostab.c:99\r\nstatic void *\r\nH5O_stab_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED\r\n*open_oh,\r\n unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const\r\nuint8_t *p)\r\n{\r\n...\r\n /* decode */\r\n if(NULL == (stab = H5FL_CALLOC(H5O_stab_t)))\r\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\r\n H5F_addr_decode(f, &p, &(stab->btree_addr));\r\n H5F_addr_decode(f, &p, &(stab->heap_addr));\r\n\r\n /* Set return value */\r\n ret_value = stab;\r\n```\r\n\r\nThese message IDs are located within src/H5Oprivate.h. H5OMSGFLAG_SHAREABLE is located\r\n```\r\nsrc/H5Oprivate.h:185\r\n#define H5O_MTIME_ID 0x000e /* Modification time message. (Old) */\r\n...\r\n#define H5O_STAB_ID 0x0011 /* Symbol table message. */\r\n#define H5O_MTIME_NEW_ID 0x0012 /* Modification time message. (New) */\r\n\r\nsrc/H5Oprivate.h:70\r\n/* Flags needed when encoding messages */\r\n#define H5O_MSG_FLAG_CONSTANT 0x01u\r\n#define H5O_MSG_FLAG_SHARED 0x02u\r\n#define H5O_MSG_FLAG_DONTSHARE 0x04u\r\n#define H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE 0x08u\r\n#define H5O_MSG_FLAG_MARK_IF_UNKNOWN 0x10u\r\n#define H5O_MSG_FLAG_WAS_UNKNOWN 0x20u\r\n#define H5O_MSG_FLAG_SHAREABLE 0x40u\r\n```\r\n### Crash Analysis\r\n```\r\n$ gdb -q --args bin/h5ls poc.hdf\r\n(gdb) r\r\nStarting program: bin/h5ls poc.hdf\r\n\r\nBreakpoint 3, main (argc=0x2, argv=0x192f5376) at ../../../tools/h5ls/h5ls.c:2568\r\n2568 {\r\n(gdb) bp H5O_mtime_decode\r\nBreakpoint 4 at 0x8175ebf: file ../../src/H5Omtime.c, line 177.\r\n(gdb) c\r\nContinuing.\r\ncmpnd Type *ERROR*\r\n\r\nBreakpoint 4, H5O_mtime_decode (f=0x8478498, dxpl_id=0xa000008,\r\nopen_oh=0x847adb8, mesg_flags=0x40, ioflags=0xbfffe168, p=0x847aeb0\r\n\"20110414214255\") at ../../src/H5Omtime.c:177\r\n177 {\r\n\r\n(gdb) bp :246\r\nBreakpoint 5 at 0x817615b: file ../../src/H5Omtime.c, line 246.\r\n(gdb) c\r\nContinuing.\r\n\r\nBreakpoint 5, H5O_mtime_decode (f=0x8478498, dxpl_id=0xa000008,\r\nopen_oh=0x847adb8, mesg_flags=0x40, ioflags=0xbfffe168, p=0x847aeb0\r\n\"20110414214255\") at ../../src/H5Omtime.c:246\r\n246 if(NULL == (mesg = H5FL_MALLOC(time_t)))\r\n\r\n(gdb) p sizeof(time_t)\r\n$1 = 0x4\r\n(gdb) n\r\n248 *mesg = the_time;\r\n\r\n(gdb) p mesg\r\n$10 = (time_t *) 0x847bf88\r\n(gdb) ba 0x847bf88+sizeof(time_t)\r\nHardware watchpoint 11: *(0x847bf88+sizeof(time_t))\r\n(gdb) c\r\nContinuing.\r\nHardware watchpoint 11: *(0x847bf88+sizeof(time_t))\r\n\r\nOld value = 0x844ebf0\r\nNew value = 0x8478498\r\n0x08172df0 in H5O_msg_read_oh (f=0x8478498, dxpl_id=0xa000008, oh=0x847adb8,\r\ntype_id=0xe, mesg=0xbfffe9a0) at ../../src/H5Omessage.c:545\r\n545 H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\r\n(gdb) ub $pc L4\r\n 0x8172de7 <H5O_msg_read_oh+659>: mov 0x18(%eax),%eax\r\n 0x8172dea <H5O_msg_read_oh+662>: mov 0x8(%ebp),%edx\r\n 0x8172ded <H5O_msg_read_oh+665>: mov %edx,0x4(%eax) # XXX:\r\nwrites past the size of a time_t\r\n=> 0x8172df0 <H5O_msg_read_oh+668>: mov 0x10(%ebp),%eax\r\n(gdb) i r eax ebp\r\neax 0x847bf88 0x847bf88\r\nebp 0xbfffe198 0xbfffe198\r\n(gdb) c\r\nContinuing.\r\n*** Error in `/home/vrt/build/hdf5-1.8.16-release/release/bin/h5ls': malloc():\r\nmemory corruption: 0x0847bf98 ***\r\n\r\nCatchpoint 2 (signal SIGABRT), 0xb7ffecb0 in ?? ()\r\n\r\n\r\n\r\n$ bin/h5ls poc.hdf\r\n=================================================================\r\n==30927==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3d08b14 at pc 0xb6361e5b bp 0xbfda4258 sp 0xbfda4250\r\nWRITE of size 4 at 0xb3d08b14 thread T0\r\n #0 0xb6361e5a in H5O_msg_read_oh /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545\r\n #1 0xb60e96ee in H5O_get_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:2837\r\n #2 0xb5cb2252 in H5G_loc_info_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:701\r\n #3 0xb5d79bc4 in H5G_traverse_real /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:640\r\n #4 0xb5d74f1a in H5G_traverse /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:860\r\n #5 0xb5cb10de in H5G_loc_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:746\r\n #6 0xb60e336a in H5Oget_info_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:656\r\n #7 0x81ec049 in traverse_cb /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:222\r\n #8 0xb5c8e87a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:782\r\n #9 0xb5ce9cd2 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\r\n #10 0xb54dcfe5 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\r\n #11 0xb54daa3b in H5B_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\r\n #12 0xb5d42a23 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\r\n #13 0xb5d0dd52 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\r\n #14 0xb5c8cd89 in H5G_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:843\r\n #15 0xb60491f8 in H5Literate_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5L.c:1254\r\n #16 0x81d87fc in traverse /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:315\r\n #17 0x81e3735 in h5trav_visit /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\r\n #18 0x80de12b in visit_obj /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2390\r\n #19 0x80d4e1f in main /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2880\r\n #20 0xb5096a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #21 0x80ce814 in _start (/home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/.libs/lt-h5ls+0x80ce814)\r\n\r\n0xb3d08b14 is located 0 bytes to the right of 4-byte region [0xb3d08b10,0xb3d08b14)\r\nallocated by thread T0 here:\r\n #0 0x80b7441 in malloc (/home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/.libs/lt-h5ls+0x80b7441)\r\n #1 0xb60beeca in H5MM_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5MM.c:66\r\n #2 0xb5b3744c in H5FL_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5FL.c:199\r\n #3 0xb5b361c2 in H5FL_reg_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5FL.c:399\r\n #4 0xb638d7c2 in H5O_mtime_decode /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omtime.c:246\r\n #5 0xb63610ec in H5O_msg_read_oh /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545\r\n #6 0xb60e96ee in H5O_get_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:2837\r\n #7 0xb5cb2252 in H5G_loc_info_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:701\r\n #8 0xb5d79bc4 in H5G_traverse_real /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:640\r\n #9 0xb5d74f1a in H5G_traverse /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:860\r\n #10 0xb5cb10de in H5G_loc_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:746\r\n #11 0xb60e336a in H5Oget_info_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:656\r\n #12 0x81ec049 in traverse_cb /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:222\r\n #13 0xb5c8e87a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:782\r\n #14 0xb5ce9cd2 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\r\n #15 0xb54dcfe5 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\r\n #16 0xb54daa3b in H5B_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\r\n #17 0xb5d42a23 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\r\n #18 0xb5d0dd52 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\r\n #19 0xb5c8cd89 in H5G_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:843\r\n #20 0xb60491f8 in H5Literate_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5L.c:1254\r\n #21 0x81d87fc in traverse /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:315\r\n #22 0x81e3735 in h5trav_visit /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\r\n #23 0x80de12b in visit_obj /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2390\r\n #24 0x80d4e1f in main /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2880\r\n #25 0xb5096a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545 H5O_msg_read_oh\r\nShadow bytes around the buggy address:\r\n 0x367a1110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x367a1120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x367a1130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x367a1140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x367a1150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x367a1160: fa fa[04]fa fa fa 00 fa fa fa 00 07 fa fa 00 04\r\n 0x367a1170: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04\r\n 0x367a1180: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x367a1190: fa fa 00 01 fa fa 00 fa fa fa fd fd fa fa fd fa\r\n 0x367a11a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd\r\n 0x367a11b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07\r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==30927==ABORTING\r\n```\r\n### Timeline\r\n* 2016-05-08 - Discovery \r\n* 2016-05-17 - Vendor Notification \r\n* 2016-11-15 - Public Disclosure \r\n\r\n### References\r\n* [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat\r\n* [2] http://www.hdfgroup.org/HDF5/", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability(CVE-2016-4332)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4332"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96652", "id": "SSV:96652", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talos": [{"lastseen": "2020-07-01T21:25:19", "bulletinFamily": "info", "cvelist": ["CVE-2016-4333"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0179\n\n## HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability\n\n##### November 17, 2016\n\n##### CVE Number\n\nCVE-2016-4333\n\n### Description\n\nHDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS.\n\nThe vulnerability exists due to the library allocating space for the array using a value from the file, and then within the loop for initializing said array allowing a value within the file to modify the loop\u2019s terminator. Due to this, an aggressor can cause the loop\u2019s index to point outside the bounds of the array when initializing it. This is a heap-based buffer overflow, and can lead to code execution under the context of the application using the library.\n\n### Tested Versions\n\nhdf5-1.8.16.tar.bz2 \ntools/h5ls: Version 1.8.16 \ntools/h5stat: Version 1.8.16 \ntools/h5dump: Version 1.8.16\n\n### Product Urls\n\nhttp://www.hdfgroup.org/HDF5/ \nhttp://www.hdfgroup.org/HDF5/release/obtainsrc.html \nhttp://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\n\n### CVSSv3 Score\n\n8.6 \u2013 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n\n### Details\n\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that\u2019s able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\n\nWithin the HDF file format, paths can be specified as the \u2018/\u2019-separated posix format. When reading a dataset, the library will open the object using H5D__open_oid. Inside this function, the library will read the type and it\u2019s location. Once the type and it\u2019s location are read, then the library will pass the H5O_DTYPE_ID value along with it\u2019s location onto H5O_msg_read.\n \n \n src/H5Dint.c:1221\n static herr_t\n H5D__open_oid(H5D_t *dataset, hid_t dapl_id, hid_t dxpl_id)\n {\n ...\n /* Open the dataset object */\n if(H5O_open(&(dataset->oloc)) < 0)\n HGOTO_ERROR(H5E_DATASET, H5E_CANTOPENOBJ, FAIL, \"unable to open\")\n \n /* Get the type and space */\n if(NULL == (dataset->shared->type = (H5T_t *)H5O_msg_read(&(dataset->oloc), H5O_DTYPE_ID, NULL, dxpl_id))) // XXX: \\\n HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, \"unable to load type info from dataset header\")\n \\\n src/H5Omessage.c:463\n void *\n H5O_msg_read(const H5O_loc_t *loc, unsigned type_id, void *mesg,\n hid_t dxpl_id)\n {\n H5O_t *oh = NULL; /* Object header to use */\n void *ret_value; /* Return value */\n ...\n /* Get the object header */\n if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ)))\n HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, NULL, \"unable to protect object header\")\n \n /* Call the \"real\" read routine */\n if(NULL == (ret_value = H5O_msg_read_oh(loc->file, dxpl_id, oh, type_id, mesg))) // XXX: read the message from the object header\n HGOTO_ERROR(H5E_OHDR, H5E_READERROR, NULL, \"unable to read object header message\")\n \n\nInside H5O_msg_read_oh, the application will use the type_id argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5O_LOAD_NATIVE at H5Omessage.c:545\n \n \n src/H5Omessage.c:517\n void *\n H5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id,\n void *mesg)\n {\n const H5O_msg_class_t *type; /* Actual H5O class type for the ID */\n unsigned idx; /* Message's index in object header */\n void *ret_value = NULL;\n ...\n for(idx = 0; idx < oh->nmesgs; idx++)\n if(type == oh->mesg[idx].type)\n break;\n ...\n H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\n \n\nInside the H5O_LOAD_NATIVE macro, the application will select a structure containing function pointers out of the msg-&gt;type field. This structure contains various functions that are used to decode the message. When decoding a msg of type H5O_DTYPE_ID, the library will dispatch into the H5O_dtype_shared_decode function. This function will eventually call H5O_dtype_decode. Inside H5O_dtype_decode, the application will then call H5O_dtype_decode_helper which is responsible for decoding the data types.\n \n \n src/H5Oshared.h:50\n static H5_INLINE void *\n H5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags,\n unsigned *ioflags, const uint8_t *p)\n {\n ...\n /* Decode native message directly */\n if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p))) // XXX: \\\n HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, \"unable to decode native message\")\n } /* end else */\n \\\n src/H5Odtype.c:1091\n static void *\n H5O_dtype_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,\n unsigned *ioflags/*in,out*/, const uint8_t *p)\n {\n ...\n /* Allocate datatype message */\n if(NULL == (dt = H5T__alloc()))\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\n \n /* Perform actual decode of message */\n if(H5O_dtype_decode_helper(f, ioflags, &p, dt) < 0)\n HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, \"can't decode type\")\n \n\nInside decode helper, the library will read a dword from the file and use the bottom 4 bits to determine the datatype. If the datatype is H5T_COMPOUND(6), the library will enter the case at src/H5Odtype.c:260. At the beginning of this case, the library will use a bitmask from the fields to allocate space for the number of members.\n \n \n src/H5Odtype.c:133\n static htri_t\n H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags/*in,out*/, const uint8_t **pp, H5T_t *dt)\n {\n ...\n case H5T_COMPOUND:\n {\n ...\n dt->shared->u.compnd.nmembs = flags & 0xffff;\n if(dt->shared->u.compnd.nmembs == 0)\n HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, \"invalid number of members: %u\", dt->shared->u.compnd.nmembs)\n dt->shared->u.compnd.nalloc = dt->shared->u.compnd.nmembs; // XXX: proof-of-concept sets this to 3\n dt->shared->u.compnd.memb = (H5T_cmemb_t *)H5MM_calloc(dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)); // XXX: buffer that's later written to\n dt->shared->u.compnd.memb_size = 0;\n \n\nImmediately afterwards, the library will enter a loop that is terminated by the number of members in the prior snippet. For each iteration of this loop, the library will read a number of dimensions that will be passed to a function H5T__array_create. Although the library checks that the number of dimensions that are read are bound by 4, the check is done via an assertion. When the library is built in production mode[3], this assertion will be optimized out by the preprocessor.\n \n \n src/H5Odtype.c:282\n for(i = 0; i < dt->shared->u.compnd.nmembs; i++) { // XXX: u.array.ndims\n unsigned ndims = 0; /* Number of dimensions of the array field */\n htri_t can_upgrade; /* Whether we can upgrade this type's version */\n hsize_t dim[H5O_LAYOUT_NDIMS]; /* Dimensions of the array */\n H5T_t *array_dt; /* Temporary pointer to the array datatype */\n H5T_t *temp_type; /* Temporary pointer to the field's datatype */\n ...\n if(version == H5O_DTYPE_VERSION_1) {\n /* Decode the number of dimensions */\n ndims = *(*pp)++; // XXX: ndims can be changed within the loop\n HDassert(ndims <= 4); // XXX: assertion, if ndims > 4 then H5T_array_create will read oob\n *pp += 3; /*reserved bytes */\n ...\n } /* end if */\n ...\n if(version == H5O_DTYPE_VERSION_1) {\n ...\n if((array_dt = H5T__array_create(temp_type, ndims, dim)) == NULL) { // XXX: ndims is passed here\n ...\n } /* end if */\n \n\nInside H5T__array_create, the library will use the ndims value as a terminator to a loop. This loop is used to calculate the size of the array. Due to the index being oob of the 4-element array, the loop can assign an arbitrary value to u.array.ndims and u.array.nelem. These values are actually a union within the structure that they\u2019re written to, and due to this can be used to change the length of the loop after the space has already been allocated.\n \n \n src/H5Tarray.c:179\n H5T_t *\n H5T__array_create(H5T_t *base, unsigned ndims, const hsize_t dim[/* ndims */])\n {\n H5T_t *ret_value; /* new array data type */\n unsigned u; /* local index variable */\n ...\n /* Build new type */\n if(NULL == (ret_value = H5T__alloc()))\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\n ret_value->shared->type = H5T_ARRAY;\n ...\n /* Set the array parameters */\n ret_value->shared->u.array.ndims = ndims; // XXX: writes to u.compnd.nmembs\n \n /* Copy the array dimensions & compute the # of elements in the array */\n for(u = 0, ret_value->shared->u.array.nelem = 1; u < ndims; u++) {\n H5_CHECKED_ASSIGN(ret_value->shared->u.array.dim[u], size_t, dim[u], hsize_t);\n ret_value->shared->u.array.nelem *= (size_t)dim[u]; // XXX: multiply using uninitialized values. writes to u.compnd.nalloc\n } /* end for */\n \n /* Set the array's size (number of elements * element datatype's size) */\n ret_value->shared->size = ret_value->shared->parent->shared->size * ret_value->shared->u.array.nelem; // XXX\n ...\n FUNC_LEAVE_NOAPI(ret_value)\n } /* end H5T__array_create */\n \n\nThe structure\u2019s that overlap are located within the H5T_shared_t definition in src/H5Tpkg.h:288. In this structure, the \u201cu\u201d field is a union of both an H5T_array_t and an H5T_compnd_T which both are used within the loop that was explained in the prior snippet.\n \n \n src/H5Tpkg.h:288\n typedef struct H5T_shared_t {\n hsize_t fo_count; /* number of references to this file object */\n ...\n struct H5T_t *parent;/*parent type for derived datatypes */\n union {\n H5T_atomic_t atomic; /* an atomic datatype */\n H5T_compnd_t compnd; /* a compound datatype (struct) */\n H5T_enum_t enumer; /* an enumeration type (enum) */\n H5T_vlen_t vlen; /* a variable-length datatype */\n H5T_opaque_t opaque; /* an opaque datatype */\n H5T_array_t array; /* an array datatype */\n } u;\n } H5T_shared_t;\n \n\nIn these structures, H5T_array_t.nelem is the same as H5T_compnd_t.nalloc, and H5T_array_t.ndims is the same as H5T_compnd_t.nmembs. These are defined below. The field\u2019s that are used to control the allocation and the loop are marked.\n \n \n src/H5Tpkg.h:273\n typedef struct H5T_array_t {\n size_t nelem; /* total number of elements in array */ // XXX: modified using elements outside of the dims variable\n unsigned ndims; /* member dimensionality */ // XXX: modified inside H5T__array_create\n size_t dim[H5S_MAX_RANK]; /* size in each dimension */\n } H5T_array_t;\n \n src/H5Tpkg.h:217\n typedef struct H5T_compnd_t {\n unsigned nalloc; /*num entries allocated in MEMB array*/ // XXX: used to control the allocation\n unsigned nmembs; /*number of members defined in struct*/ // XXX: used to terminate the loop\n H5T_sort_t sorted; /*how are members sorted? */\n hbool_t packed; /*are members packed together? */\n H5T_cmemb_t *memb; /*array of struct members */\n size_t memb_size; /*total of all member sizes */\n } H5T_compnd_t;\n \n\nReferring back to the loop, these two fields are used to control when the loop terminates. Since u.array.ndims let\u2019s the librayr modify the value of u.compnd.nmembs, the code at line 391 will write outside the bounds of the allocation. This is a heap-based buffer overflow and can lead to code execution under the context of the application using the library.\n \n \n src/H5Odtype.c:282\n for(i = 0; i < dt->shared->u.compnd.nmembs; i++) { // XXX: u.array.ndims\n ... src/H5Odtype.c:391 ...\n /* Member size */\n dt->shared->u.compnd.memb[i].size = temp_type->shared->size; // XXX: writes outside of bounds of loop.\n dt->shared->u.compnd.memb_size += temp_type->shared->size;\n \n /* Set the field datatype (finally :-) */\n dt->shared->u.compnd.memb[i].type = temp_type;\n \n\n### Crash Analysis\n \n \n $ gdb -q --args bin/h5stat poc.hdf\n 1542 ../../../tools/h5stat/h5stat.c: No such file or directory.\n (gdb) bp src/H5Odtype.c:278\n Breakpoint 4 at 0xb6b04b3f: file ../../src/H5Odtype.c, line 278.\n (gdb) bp src/H5Odtype.c:312\n Breakpoint 5 at 0xb6b07356: file ../../src/H5Odtype.c, line 312.\n (gdb) bp src/H5Odtype.c:352\n Breakpoint 6 at 0xb6b091f7: file ../../src/H5Odtype.c, line 352.\n (gdb) bp src/H5Odtype.c:392\n Breakpoint 7 at 0xb6b0a852: file ../../src/H5Odtype.c, line 392.\n (gdb) r\n Starting program: $HOME/hdf5-1.8.16/release/bin/h5stat poc.hdf\n Filename: poc.hdf\n \n Breakpoint 3, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:278\n 278 dt->shared->u.compnd.memb = (H5T_cmemb_t *)H5MM_calloc(dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t));\n (gdb) p dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)\n $1 = 0x30\n (gdb) n\n 279 dt->shared->u.compnd.memb_size = 0;\n (gdb) p dt->shared->u.compnd.memb\n $2 = (H5T_cmemb_t *) 0x83f4070\n (gdb) ba dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)\n Hardware watchpoint 7: *(dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t))\n \n (gdb) c\n Continuing.\n Hardware watchpoint 7: *(dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t))\n \n Old value = 0x0\n New value = <unreadable>\n H5T__array_create (base=base@entry=0x83df448, ndims=ndims@entry=0x80, dim=dim@entry=0xbfffebc8) at ../../src/H5Tarray.c:206\n 206 ret_value->shared->u.array.nelem *= (size_t)dim[u];\n \n (gdb) c\n Continuing.\n \n Breakpoint 6, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:392\n 392 dt->shared->u.compnd.memb[i].size = temp_type->shared->size;\n (gdb) n\n \n Catchpoint 2 (signal SIGSEGV), 0x08148372 in H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:392\n 392 dt->shared->u.compnd.memb[i].size = temp_type->shared->size;\n \n Program terminated with signal SIGSEGV, Segmentation fault.\n The program no longer exists.\n (gdb)\n \n \n \n ==2061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2b20758 at pc 0xb699e18c bp 0xbfa0e618 sp 0xbfa0e610\n WRITE of size 4 at 0xb2b20758 thread T0\n #0 0xb699e18b in H5T__array_create $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:205\n #1 0xb629b2e4 in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:352\n #2 0xb628d881 in H5O_dtype_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:1108\n #3 0xb6259fd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Oshared.h:84\n #4 0xb6335a5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:554\n #5 0xb63338a6 in H5O_msg_read $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:483\n #6 0xb57d3b96 in H5D__open_oid $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1245\n #7 0xb57d0df7 in H5D_open $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1153\n #8 0xb56763f9 in H5Dopen2 $HOME/hdf5-1.8.16/memcheck/src/../../src/H5D.c:368\n #9 0x80e0ecd in dataset_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:473\n #10 0x80d1d39 in obj_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:685\n #11 0x81d307d in traverse_cb $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:237\n #12 0xb5c6a66a in H5G_visit_cb $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:939\n #13 0xb5cbea72 in H5G__node_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026\n #14 0xb54b2c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175\n #15 0xb54b06db in H5B_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220\n #16 0xb5d17773 in H5G__stab_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565\n #17 0xb5ce2af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707\n #18 0xb5c67be2 in H5G_visit $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:1174\n #19 0xb6022f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1378\n #20 0x81bed2e in traverse $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:310\n #21 0x81c9df5 in h5trav_visit $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:1164\n #22 0x80cf9e3 in main $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:1623\n #23 0xb506ea82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n #24 0x80cde74 in _start ($HOME/hdf5-1.8.16/memcheck/bin/h5stat+0x80cde74)\n \n 0xb2b20758 is located 0 bytes to the right of 168-byte region [0xb2b206b0,0xb2b20758)\n allocated by thread T0 here:\n #0 0x80b6b8e in calloc ($HOME/hdf5-1.8.16/memcheck/bin/h5stat+0x80b6b8e)\n #1 0xb6093d5b in H5MM_calloc $HOME/hdf5-1.8.16/memcheck/src/../../src/H5MM.c:107\n #2 0xb6982712 in H5T__alloc $HOME/hdf5-1.8.16/memcheck/src/../../src/H5T.c:3462\n #3 0xb699d08c in H5T__array_create $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:192\n #4 0xb629b2e4 in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:352\n #5 0xb628d881 in H5O_dtype_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:1108\n #6 0xb6259fd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Oshared.h:84\n #7 0xb6335a5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:554\n #8 0xb63338a6 in H5O_msg_read $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:483\n #9 0xb57d3b96 in H5D__open_oid $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1245\n #10 0xb57d0df7 in H5D_open $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1153\n #11 0xb56763f9 in H5Dopen2 $HOME/hdf5-1.8.16/memcheck/src/../../src/H5D.c:368\n #12 0x80e0ecd in dataset_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:473\n #13 0x80d1d39 in obj_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:685\n #14 0x81d307d in traverse_cb $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:237\n #15 0xb5c6a66a in H5G_visit_cb $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:939\n #16 0xb5cbea72 in H5G__node_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026\n #17 0xb54b2c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175\n #18 0xb54b06db in H5B_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220\n #19 0xb5d17773 in H5G__stab_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565\n #20 0xb5ce2af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707\n #21 0xb5c67be2 in H5G_visit $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:1174\n #22 0xb6022f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1378\n #23 0x81bed2e in traverse $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:310\n #24 0x81c9df5 in h5trav_visit $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:1164\n #25 0x80cf9e3 in main $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:1623\n #26 0xb506ea82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:205 H5T__array_create\n \n\n### Timeline\n\n2016-05-08 - Discovery \n2016-05-17 - Vendor Notification \n2016-11-15 - Public Disclosure \n\n\n### References\n\n[1] https://en.wikipedia.org/wiki/Hierarchical_Data_Format \n[2] http://www.hdfgroup.org/HDF5/\n\n##### Credit\n\nDiscovered by Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0178\n\nPrevious Report\n\nTALOS-2016-0181\n", "edition": 28, "modified": "2016-11-17T00:00:00", "published": "2016-11-17T00:00:00", "id": "TALOS-2016-0179", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0179", "title": "HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T21:25:23", "bulletinFamily": "info", "cvelist": ["CVE-2016-4331"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0177\n\n## HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability\n\n##### November 17, 2016\n\n##### CVE Number\n\nCVE-2016-4331\n\n### Description\n\nHDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS.\n\nThe vulnerability exists when the library is decoding data out of a dataset encoded with the H5Z_NBIT decoding. When calculating the precision that a BCD number is encoded as, the library will fail to ensure that the precision is within the bounds of the size. Due to this, the library will calculate an index outside the bounds of the space allocated for the BCD number. Whilst decoding this data, the library will then write outside the bounds of the buffer leading to a heap-based buffer overflow. This can lead to code execution under the context of the application using the library.\n\n### Tested Versions\n\nhdf5-1.8.16.tar.bz2\n\ntools/h5ls: Version 1.8.16 \n\n\ntools/h5stat: Version 1.8.16 \n\n\ntools/h5dump: Version 1.8.16 \n\n\n### Product Urls\n\nhttp://www.hdfgroup.org/HDF5/ \n\n\nhttp://www.hdfgroup.org/HDF5/release/obtainsrc.html \n\n\nhttp://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\n\n### CVSSv3 Score\n\n8.6 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n\n### Details\n\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that\u2019s able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\n\nWhen reading a dataset out of the file, the HDF5 library will call the following function, H5Dread. After allocating space for the buffer, the library will call an internal function H5D__read which will eventually call into H5D__chunk_lock. This function is responsible for reading the contents of the dataset into a cache that the application will later be able to access.\n \n \n src/H5Dio.c:125\n \n herr_t\n \n H5Dread(hid_t dset_id, hid_t mem_type_id, hid_t mem_space_id,\n \n hid_t file_space_id, hid_t plist_id, void *buf/*out*/)\n \n {\n \n ...\n \n /* read raw data */\n \n if(H5D__read(dset, mem_type_id, mem_space, file_space, plist_id, buf/*out*/) < 0)\n \n HGOTO_ERROR(H5E_DATASET, H5E_READERROR, FAIL, \"can't read data\")\n \n \n \n src/H5Dio.c:373\n \n herr_t\n \n H5D__read(H5D_t *dataset, hid_t mem_type_id, const H5S_t *mem_space,\n \n const H5S_t *file_space, hid_t dxpl_id, void *buf/*out*/)\n \n {\n \n ...\n \n /* Invoke correct \"high level\" I/O routine */\n \n if((*io_info.io_ops.multi_read)(&io_info, &type_info, nelmts, file_space, mem_space, &fm) <\n 0) // XXX: \\\n \n HGOTO_ERROR(H5E_DATASET, H5E_READERROR, FAIL, \"can't read data\")\n \n \n \n \\ ... src/H5Dchunk.c:1873\n \n /* Lock the chunk into the cache */\n \n if(NULL == (chunk = H5D__chunk_lock(io_info, &udata, FALSE)))\n \n HGOTO_ERROR(H5E_IO, H5E_READERROR, FAIL, \"unable to read raw data chunk\")\n \n\nOnce chunk_lock is read, the library will call into it\u2019s pipeline to determine how it can decode the data. This happens by calling H5Z_pipeline. Inside H5Z_pipeline, the library will determine what kind of filter to choose and then call the \u201cfilter\u201d method from a data structure that contains methods or handlers that deal with the specific encoding type.\n \n \n src/H5Dchunk.c:2808\n \n void *\n \n H5D__chunk_lock(const H5D_io_info_t *io_info, H5D_chunk_ud_t *udata,\n \n hbool_t relax)\n \n {\n \n \n \n if(H5Z_pipeline(pline, H5Z_FLAG_REVERSE, &(udata->filter_mask), io_info->dxpl_cache-\n >err_detect, // XXX: \\\n \n io_info->dxpl_cache->filter_cb, &chunk_alloc, &chunk_alloc, &chunk) < 0)\n \n HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, NULL, \"data pipeline read failed\")\n \n H5_CHECKED_ASSIGN(udata->nbytes, uint32_t, chunk_alloc, size_t);\n \n \\\n \n src/H5Z.c:1285\n \n herr_t\n \n H5Z_pipeline(const H5O_pline_t *pline, unsigned flags,\n \n unsigned *filter_mask/*in,out*/, H5Z_EDC_t edc_read,\n \n H5Z_cb_t cb_struct, size_t *nbytes/*in,out*/,\n \n size_t *buf_size/*in,out*/, void **buf/*in,out*/)\n \n {\n \n \n \n \n \n tmp_flags=flags|(pline->filter[idx].flags);\n \n tmp_flags|=(edc_read== H5Z_DISABLE_EDC) ? H5Z_FLAG_SKIP_EDC : 0;\n \n new_nbytes = (fclass->filter)(tmp_flags, pline->filter[idx].cd_nelmts, // XXX: calls\n H5Z_filter_nbit\n \n pline->filter[idx].cd_values, *nbytes, buf_size, buf);\n \n\nWhen handling data encoded with the nbit encoding type, the library will call H5Z_filter_nbit. This function will take inputs from the file and use it to calculate the amount of space required to decode the encoded data. This is done by taking the number of elements and multiplying it by the size of elements. With the provided proof of concept, the size is 4 and the number of elements is 12. This results in a buffer size of 48 bytes.\n \n \n src/H5Znbit.c:865\n \n static size_t\n \n H5Z_filter_nbit(unsigned flags, size_t cd_nelmts, const unsigned cd_values[],\n \n size_t nbytes, size_t *buf_size, void **buf)\n \n {\n \n \n \n /* copy a filter parameter to d_nelmts */\n \n d_nelmts = cd_values[2]; // XXX: number of elements\n \n \n \n /* input; decompress */\n \n if(flags & H5Z_FLAG_REVERSE) {\n \n size_out = d_nelmts * cd_values[4]; /* cd_values[4] stores datatype size */ // XXX:\n size of elements\n \n \n \n /* allocate memory space for decompressed buffer */\n \n if(NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out))) // XXX:\n seems to be 0x30\n \n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, 0, \"memory allocation failed for nbit\n decompression\")\n \n \n \n /* decompress the buffer */\n \n H5Z_nbit_decompress(outbuf, d_nelmts, (unsigned char *)*buf, cd_values); // XXX:\n decompress data into outbuf\n \n\nWhen entering the H5Z_NBIT_ATOMIC case, the library copy input from the file into a structure that gets passed to H5Z_nbit_decompress_one_atomic. This loop will iterate for the number of elements that were stored in the dataset. The field that is used later to write outside the buffer allocated in the prior snippet is used to determine the precision of a binary-coded-decimal number.\n \n \n src/H5Znbit.c:1140\n \n static void\n \n H5Z_nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,\n \n const unsigned parms[])\n \n {\n \n \n \n switch(parms[3]) {\n \n case H5Z_NBIT_ATOMIC:\n \n /* set the index before goto function call */\n \n p.size = parms[4];\n \n p.order = parms[5];\n \n p.precision = parms[6]; // XXX: used later\n \n p.offset = parms[7];\n \n for(i = 0; i < d_nelmts; i++) {\n \n H5Z_nbit_decompress_one_atomic(data, i*p.size, buffer, &j, &buf_len, p);\n \n }\n \n break;\n \n\nOnce inside H5Z_nbit_decompress_one_atomic, the library will use the value of p.precision to calculate the index into the buffer that was allocated. Due to a lack of bounds-checking, this index will allow for a loop that is executed later to write outside the bounds of the buffer. If precision is larger than datatype_len, then the index can be made to overflow.\n \n \n src/H5Znbit.c:1012\n \n static void\n \n H5Z_nbit_decompress_one_atomic(unsigned char *data, size_t data_offset,\n \n unsigned char *buffer, size_t *j, int *buf_len, parms_atomic p)\n \n {\n \n /* begin_i: the index of byte having first significant bit\n \n end_i: the index of byte having last significant bit */\n \n int k, begin_i, end_i, datatype_len;\n \n \n \n datatype_len = p.size * 8;\n \n \n \n if(p.order == H5Z_NBIT_ORDER_BE) { /* big endian */\n \n /* calculate begin_i and end_i */\n \n begin_i = (datatype_len - p.precision - p.offset) / 8; // XXX: p.precision is used here to calculate begin_i\n \n if(p.offset % 8 != 0)\n \n end_i = (datatype_len - p.offset) / 8;\n \n else\n \n end_i = (datatype_len - p.offset) / 8 - 1;\n \n \n \n for(k = begin_i; k <= end_i; k++)\n \n H5Z_nbit_decompress_one_byte(data, data_offset, k, begin_i, end_i, // XXX: k == begin_i\n \n buffer, j, buf_len, p, datatype_len);\n \n \n \n It is within H5Z_nbit_decompress_one_byte that the library will write outside it's bounds. Due to the value of begin_i pointing outside the buffer, this can be used to trigger a buffer overflow and overwrite adjacent data. This is a heap-based buffer overflow and can lead to code execution within the context of the library.\n \n \n \n src/H5Znbit.c:943\n \n static void\n \n H5Z_nbit_decompress_one_byte(unsigned char *data, size_t data_offset, int k,\n \n int begin_i, int end_i, unsigned char *buffer, size_t *j, int *buf_len,\n \n parms_atomic p, int datatype_len)\n \n {\n \n \n \n data[data_offset + k] = // XXX: data_offset + k points\n outside of data\n \n ((val & ~(~0 << *buf_len)) << (dat_len - *buf_len)) << uchar_offset;\n \n\n### Crash Analysis\n \n \n $ gdb --directory ~/build/hdf5-1.8.16/release/bin -q --args ~/build/hdf5-1.8.16/release/bin/h5dump 00015\n \n 8.hdf\n \n Reading symbols from /home/vrt/build/hdf5-1.8.16/release/bin/h5dump...done.\n \n (gdb) bp H5Znbit.c:896\n \n Breakpoint 3 at 0x8269e94: file ../../src/H5Znbit.c, line 896.\n \n (gdb) bp H5Znbit.c:1162\n \n Breakpoint 4 at 0x8269f09: file ../../src/H5Znbit.c, line 1162.\n \n (gdb) bp H5Znbit.c:1030\n \n Breakpoint 5 at 0x8269549: file ../../src/H5Znbit.c, line 1030.\n \n (gdb) r\n \n \n \n Breakpoint 3, H5Z_filter_nbit (flags=0x101, cd_nelmts=0x8, cd_values=0x848db88, nbytes=0x1f, buf_size=0xbfffbc7c, buf=0xbfffbc38) at ../../src/H5Znbit.c:896\n \n 896 if(NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out)))\n \n (gdb) p size_out\n \n $6 = 0x0\n \n (gdb) c\n \n Continuing.\n \n \n \n Breakpoint 4, H5Z_nbit_decompress (parms=0x848db88, buffer=0x8498530 \":\\252\\263\u00ca\u00ab>\", d_nelmts=0xc, data=0x8498558 \"\") at ../../src/H5Znbit.c:1162\n \n 1162 p.precision = parms[6];\n \n (gdb) c\n \n Continuing.\n \n \n \n Breakpoint 5, H5Z_nbit_decompress_one_atomic (data=data@entry=0x8498558 \"\", data_offset=0x0, buffer=buffer@entry=0x8498530 \":\\252\\263\u00ca\u00ab>\", j=j@entry=0xbfffbb08, buf_len=buf_len@entry=0xbfffbb0c, p=...) at ../../src/H5Znbit.c:1030\n \n 1030 for(k = begin_i; k >= end_i; k--)\n \n (gdb) p k\n \n $7 = 0x2003\n \n (gdb) c\n \n Continuing.\n \n \n \n Catchpoint 2 (signal SIGSEGV), 0x082695ff in H5Z_nbit_decompress_one_byte (datatype_len=0x20, buf_len=0xbfffbb0c, j=0xbfffbb08, buffer=0x8498530 \":\\252\\263\u00ca\u00ab>\", end_i=0x0, begin_i=0x2003, k=0x557, data_offset=<optimized out>, data=<optimized out>, p=...) at ../../src/H5Znbit.c:983\n \n 983 ((val >> (*buf_len - dat_len)) & ~(~0 << dat_len)) << uchar_offset;\n \n \n \n ###Crash Analysis (Address Sanitizer)\n \n =================================================================\n \n ==2374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3519a53 at pc 0xb74003af bp 0xbfcd6c38 sp 0xbfcd6c30\n \n WRITE of size 1 at 0xb3519a53 thread T0\n \n #0 0xb74003ae in H5Z_nbit_decompress_one_byte /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:975\n \n #1 0xb73f7a71 in H5Z_nbit_decompress_one_atomic /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:1031\n \n #2 0xb73e96ac in H5Z_nbit_decompress /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:1165\n \n #3 0xb73e783f in H5Z_filter_nbit /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:900\n \n #4 0xb73ccfd6 in H5Z_pipeline /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Z.c:1360\n \n #5 0xb568fc12 in H5D__chunk_lock /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dchunk.c:2903\n \n #6 0xb5673334 in H5D__chunk_read /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dchunk.c:1874\n \n #7 0xb57bb68d in H5D__read /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dio.c:550\n \n #8 0xb57b5813 in H5Dread /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dio.c:172\n \n #9 0x81e9cf3 in h5tools_dump_simple_dset /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:1619\n \n #10 0x81e543d in h5tools_dump_dset /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:1790\n \n #11 0x821316a in h5tools_dump_data /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:3859\n \n #12 0x81045ca in dump_dataset /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:1053\n \n #13 0x80f5da3 in dump_all_cb /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:358\n \n #14 0xb5c1669a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:782\n \n #15 0xb5c71a72 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026\n \n #16 0xb5465c85 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175\n \n #17 0xb54636db in H5B_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220\n \n #18 0xb5cca773 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565\n \n #19 0xb5c95af2 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707\n \n #20 0xb5c14ba9 in H5G_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:843\n \n #21 0xb5fcdb47 in H5Literate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1182\n \n #22 0x80f1609 in link_iteration /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:608\n \n #23 0x8100596 in dump_group /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:890\n \n #24 0x80d3345 in main /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump.c:1542\n \n #25 0xb5021a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n \n #26 0x80cec04 in _start (/home/vrt/build/hdf5-1.8.16/memcheck/bin/h5dump+0x80cec04)\n \n \n \n AddressSanitizer can not describe address in more detail (wild memory access suspected).\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:975 H5Z_nbit_decompress_one_byte\n \n\n### Timeline\n\n2016-05-17 - Vendor Notification \n\n\n2016-11-15 - Public Disclosure \n\n\n### References\n\n[1] https://en.wikipedia.org/wiki/Hierarchical_Data_Format \n\n\n[2] http://www.hdfgroup.org/HDF5/\n\n##### Credit\n\nDiscovered by Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0176\n\nPrevious Report\n\nTALOS-2016-0178\n", "edition": 22, "modified": "2016-11-17T00:00:00", "published": "2016-11-17T00:00:00", "id": "TALOS-2016-0177", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0177", "title": "HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T21:24:54", "bulletinFamily": "info", "cvelist": ["CVE-2016-4332"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0178\n\n## HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability\n\n##### November 17, 2016\n\n##### CVE Number\n\nCVE-2016-4332\n\n### Description\n\nHDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS.\n\nThe vulnerability exists due to the library\u2019s failure to check if certain message types support a particular flag. When this flag is set, the library will cast the structure to an alternative structure and then assign to fields that aren\u2019t supported by the message type. Due to the message type not being able to support this flag, the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library.\n\n### Tested Versions\n\nhdf5-1.8.16.tar.bz2 \ntools/h5ls: Version 1.8.16 \ntools/h5stat: Version 1.8.16 \ntools/h5dump: Version 1.8.16 \n\n\n### Product Urls\n\nhttp://www.hdfgroup.org/HDF5/ \nhttp://www.hdfgroup.org/HDF5/release/obtainsrc.html \nhttp://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\n\n### CVSSv3 Score\n\n8.6 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n\n### Details\n\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that\u2019s able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\n\nWithin the HDF file format, paths can be specified as the \u2018/\u2019-separated posix format. When iterating through the contents of a group, for each object the library will first populate an H5G_loc_t structure with information about the object\u2019s location. Immediately afterwards, the library will fetch the metadata for the object using H5O_get_info. This is done by the following code located within src/H5O.c\n \n \n src/H5O.c:3280\n /* Find the object's location */\n if(H5G_loc_find(&loc, obj_name, &obj_loc/*out*/, lapl_id, dxpl_id) < 0) //\n XXX: assign location info about the object\n HGOTO_ERROR(H5E_OHDR, H5E_NOTFOUND, FAIL, \"object not found\")\n loc_found = TRUE;\n \n /* Get the object's info */\n if(H5O_get_info(&obj_oloc, dxpl_id, TRUE, &oinfo) < 0) // XXX: get\n metadata information about the object\n HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, \"unable to get object info\")\n \n\nAfter reading the header of the object\u2019s information into the \u201coh\u201d variable, the library will use this information to store the object class. A little bit later, the library will use the version to determine how to process some of the attributes associated with the object. If the object\u2019s version is H5O_VERSION_1, the library will then call H5O_msg_read_oh. This function will iterate through each of the message types in order to determine how to process them. The type that\u2019s specified is H5O_MTIME_ID which gets passed to H5O_msg_read_oh.\n \n \n src/H5O.c:2776\n herr_t\n H5O_get_info(const H5O_loc_t *loc, hid_t dxpl_id, hbool_t want_ih_info,\n H5O_info_t *oinfo)\n {\n ...\n /* Get the object header */\n if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ))) // XXX: read\n object header from file\n HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, FAIL, \"unable to load object header\")\n ...\n if(NULL == (obj_class = H5O_obj_class_real(oh)))\n HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, \"unable to determine object\n class\")\n ...\n if(oh->version > H5O_VERSION_1) {\n ...\n } /* end if */\n else {\n ...\n if((exists = H5O_msg_exists_oh(oh, H5O_MTIME_ID)) < 0)\n HGOTO_ERROR(H5E_OHDR, H5E_NOTFOUND, FAIL, \"unable to check for MTIME\n message\")\n if(exists > 0) {\n /* Get \"old style\" modification time info */\n if(NULL == H5O_msg_read_oh(loc->file, dxpl_id, oh, H5O_MTIME_ID,\n &oinfo->ctime)) // XXX: call message decode\n HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, \"can't read MTIME\n message\")\n \n\nInside H5O_msg_read_oh, the application will use the type_id argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5O_LOAD_NATIVE at H5Omessage.c:545\n \n \n src/H5Omessage.c:517\n void *\n H5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id,\n void *mesg)\n {\n const H5O_msg_class_t *type; /* Actual H5O class type for the ID */\n unsigned idx; /* Message's index in object header */\n void *ret_value = NULL;\n ...\n for(idx = 0; idx < oh->nmesgs; idx++)\n if(type == oh->mesg[idx].type)\n break;\n ...\n H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\n \n\nInside the H5O_LOAD_NATIVE macro, the application will select a structure containing function pointers out of the msg-&gt;type field. This structure contains various functions that are used to decode the message. After calling the decode method, the library will check to see if the H5O_MSG_FLAG_SHAREABLE flag is set. If this flag is set then the macro H5O_UPDATE_SHARED is used to write into the pointer returned by the decode function.\n \n \n src/H5Opkg.h:184\n /* Load native information for a message, if it's not already present */\n /* (Only works for messages with decode callback) */\n #define H5O_LOAD_NATIVE(F, DXPL, IOF, OH, MSG, ERR) \\\n if(NULL == (MSG)->native) { \\\n const H5O_msg_class_t *msg_type = (MSG)->type; \\\n unsigned ioflags = (IOF); \\\n \\\n /* Decode the message */ \\\n HDassert(msg_type->decode); \\\n if(NULL == ((MSG)->native = (msg_type->decode)((F), (DXPL), (OH), (MSG)-\n >flags, &ioflags, (MSG)->raw))) \\\n HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, ERR, \"unable to decode\n message\") \\\n \\\n ...\n \\\n if((MSG)->flags & H5O_MSG_FLAG_SHAREABLE) { \\\n H5O_UPDATE_SHARED((H5O_shared_t *)(MSG)->native, H5O_SHARE_TYPE_HERE,\n (F), msg_type->id, (MSG)->crt_idx, (OH)->chunk[0].addr) \\\n } /* end if */\n \\\n \n\nInside the decode function for the H5O_MTIME_ID structure, the application will make an allocation that is the size of a time_t field. This is located within src/H5Omtime.c:174.\n \n \n src/H5Omtime.c:174\n static void *\n H5O_mtime_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t\n H5_ATTR_UNUSED *open_oh,\n unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const\n uint8_t *p)\n {\n time_t *mesg, the_time;\n int i;\n struct tm tm;\n void *ret_value = NULL; /* Return value */\n ...\n if(NULL == (mesg = H5FL_MALLOC(time_t)))\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\n *mesg = the_time;\n \n /* Set return value */\n ret_value = mesg;\n \n done:\n FUNC_LEAVE_NOAPI(ret_value)\n } /* end H5O_mtime_decode() */\n \n\nAfter allocating space for the time_t structure, the application will return back to the H5O_LOAD_NATIVE macro. Once this is returned, the application will check to see if the flags have the H5O_MSG_FLAG_SHAREABLE bit set. If so, the application will mis-cast the pointer to the time_t structure to an H5O_shared_t, and then try to write to it using the H5O_UPDATE_SHARED macro.\n \n \n src/H5Opkg.h:203\n if((MSG)->flags & H5O_MSG_FLAG_SHAREABLE) { \\\n H5O_UPDATE_SHARED((H5O_shared_t *)(MSG)->native, H5O_SHARE_TYPE_HERE,\n (F), msg_type->id, (MSG)->crt_idx, (OH)->chunk[0].addr) \\\n } /* end if */ \\\n \\\n src/H5Oprivate.h:114\n #define H5O_UPDATE_SHARED(SH_MESG, SH_TYPE, F, MSG_TYPE, CRT_IDX, OH_ADDR) \\\n { \\\n (SH_MESG)->type = (SH_TYPE); \\\n (SH_MESG)->file = (F); \\\n (SH_MESG)->msg_type_id = (MSG_TYPE); \\\n (SH_MESG)->u.loc.index = (CRT_IDX); \\\n (SH_MESG)->u.loc.oh_addr = (OH_ADDR); \\\n } /* end block */\n \n\nDue to the H5O_shared_t being larger than the size of a time_t, the H5O_UPDATE_SHARED macro will write outside the bounds of the time_t structure that was allocated by H5O_mtime_decode. This will corrupt adjacent metadata in the heap, and can be used to corrupt more of the state of the application which can lead to code execution under the context of the application using the library. This H5O_shared_t structure is listed below.\n \n \n src/H5Oprivate.h:230\n typedef struct H5O_shared_t {\n unsigned type; /* Type describing how message is shared\n */\n H5F_t *file; /* File that message is located within */\n unsigned msg_type_id; /* Message's type ID */\n union {\n H5O_mesg_loc_t loc; /* Object location info */\n H5O_fheap_id_t heap_id; /* ID within the SOHM heap */\n } u;\n } H5O_shared_t;\n \n\nThis vulnerable pattern also occurs while decoding two other messages. These two messages are the H5O_MTIME_NEW_ID which calls H5O_mtime_new_decode, and H5O_STAB_ID which calls H5O_stab_decode. H5O_mtime_new_decode, in the following snippet, is also used to allocate a time_t structure that is smaller than an H5O_shared_t which can be used to trigger a similar style of overwrite.\n \n \n src/H5Omtime.c:121\n static void *\n H5O_mtime_new_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t\n H5_ATTR_UNUSED *open_oh,\n unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const\n uint8_t *p)\n {\n ...\n /* The return value */\n if (NULL==(mesg = H5FL_MALLOC(time_t)))\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\");\n *mesg = (time_t)tmp_time;\n \n /* Set return value */\n ret_value=mesg;\n \n done:\n FUNC_LEAVE_NOAPI(ret_value)\n } /* end H5O_mtime_new_decode() */\n \n\nThe other message, H5O_STAB_ID, which uses H5O_stab_decode uses the following H5O_stab_t structure. Due to the library mis-casting this structure to an H5O_shared_t, the library will write outside the bounds of the allocation of the H5O_stab_t.\n \n \n src/H5Oprivate.h:531\n typedef struct H5O_stab_t {\n haddr_t btree_addr; /*address of B-tree */\n haddr_t heap_addr; /*address of name heap */\n } H5O_stab_t;\n \n\nSimilarly, the library will use H5FL_CALLOC(H5O_stab_t) to allocate space for the structure that gets overwritten.\n \n \n src/H5Ostab.c:99\n static void *\n H5O_stab_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED\n *open_oh,\n unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const\n uint8_t *p)\n {\n ...\n /* decode */\n if(NULL == (stab = H5FL_CALLOC(H5O_stab_t)))\n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\n H5F_addr_decode(f, &p, &(stab->btree_addr));\n H5F_addr_decode(f, &p, &(stab->heap_addr));\n \n /* Set return value */\n ret_value = stab;\n \n\nThese message IDs are located within src/H5Oprivate.h. H5O_MSG_FLAG_SHAREABLE is located\n \n \n src/H5Oprivate.h:185\n #define H5O_MTIME_ID 0x000e /* Modification time message. (Old) */\n ...\n #define H5O_STAB_ID 0x0011 /* Symbol table message. */\n #define H5O_MTIME_NEW_ID 0x0012 /* Modification time message. (New) */\n \n src/H5Oprivate.h:70\n /* Flags needed when encoding messages */\n #define H5O_MSG_FLAG_CONSTANT 0x01u\n #define H5O_MSG_FLAG_SHARED 0x02u\n #define H5O_MSG_FLAG_DONTSHARE 0x04u\n #define H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE 0x08u\n #define H5O_MSG_FLAG_MARK_IF_UNKNOWN 0x10u\n #define H5O_MSG_FLAG_WAS_UNKNOWN 0x20u\n #define H5O_MSG_FLAG_SHAREABLE 0x40u\n \n\n### Crash Analysis\n \n \n $ gdb -q --args bin/h5ls poc.hdf\n (gdb) r\n Starting program: bin/h5ls poc.hdf\n \n Breakpoint 3, main (argc=0x2, argv=0x192f5376) at ../../../tools/h5ls/h5ls.c:2568\n 2568 {\n (gdb) bp H5O_mtime_decode\n Breakpoint 4 at 0x8175ebf: file ../../src/H5Omtime.c, line 177.\n (gdb) c\n Continuing.\n cmpnd Type *ERROR*\n \n Breakpoint 4, H5O_mtime_decode (f=0x8478498, dxpl_id=0xa000008,\n open_oh=0x847adb8, mesg_flags=0x40, ioflags=0xbfffe168, p=0x847aeb0\n \"20110414214255\") at ../../src/H5Omtime.c:177\n 177 {\n \n (gdb) bp :246\n Breakpoint 5 at 0x817615b: file ../../src/H5Omtime.c, line 246.\n (gdb) c\n Continuing.\n \n Breakpoint 5, H5O_mtime_decode (f=0x8478498, dxpl_id=0xa000008,\n open_oh=0x847adb8, mesg_flags=0x40, ioflags=0xbfffe168, p=0x847aeb0\n \"20110414214255\") at ../../src/H5Omtime.c:246\n 246 if(NULL == (mesg = H5FL_MALLOC(time_t)))\n \n (gdb) p sizeof(time_t)\n $1 = 0x4\n (gdb) n\n 248 *mesg = the_time;\n \n (gdb) p mesg\n $10 = (time_t *) 0x847bf88\n (gdb) ba 0x847bf88+sizeof(time_t)\n Hardware watchpoint 11: *(0x847bf88+sizeof(time_t))\n (gdb) c\n Continuing.\n Hardware watchpoint 11: *(0x847bf88+sizeof(time_t))\n \n Old value = 0x844ebf0\n New value = 0x8478498\n 0x08172df0 in H5O_msg_read_oh (f=0x8478498, dxpl_id=0xa000008, oh=0x847adb8,\n type_id=0xe, mesg=0xbfffe9a0) at ../../src/H5Omessage.c:545\n 545 H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\n (gdb) ub $pc L4\n 0x8172de7 <H5O_msg_read_oh+659>: mov 0x18(%eax),%eax\n 0x8172dea <H5O_msg_read_oh+662>: mov 0x8(%ebp),%edx\n 0x8172ded <H5O_msg_read_oh+665>: mov %edx,0x4(%eax) # XXX:\n writes past the size of a time_t\n => 0x8172df0 <H5O_msg_read_oh+668>: mov 0x10(%ebp),%eax\n (gdb) i r eax ebp\n eax 0x847bf88 0x847bf88\n ebp 0xbfffe198 0xbfffe198\n (gdb) c\n Continuing.\n *** Error in `/home/vrt/build/hdf5-1.8.16-release/release/bin/h5ls': malloc():\n memory corruption: 0x0847bf98 ***\n \n Catchpoint 2 (signal SIGABRT), 0xb7ffecb0 in ?? ()\n \n \n \n $ bin/h5ls poc.hdf\n =================================================================\n ==30927==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3d08b14 at pc 0xb6361e5b bp 0xbfda4258 sp 0xbfda4250\n WRITE of size 4 at 0xb3d08b14 thread T0\n #0 0xb6361e5a in H5O_msg_read_oh /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545\n #1 0xb60e96ee in H5O_get_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:2837\n #2 0xb5cb2252 in H5G_loc_info_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:701\n #3 0xb5d79bc4 in H5G_traverse_real /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:640\n #4 0xb5d74f1a in H5G_traverse /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:860\n #5 0xb5cb10de in H5G_loc_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:746\n #6 0xb60e336a in H5Oget_info_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:656\n #7 0x81ec049 in traverse_cb /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:222\n #8 0xb5c8e87a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:782\n #9 0xb5ce9cd2 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\n #10 0xb54dcfe5 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\n #11 0xb54daa3b in H5B_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\n #12 0xb5d42a23 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\n #13 0xb5d0dd52 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\n #14 0xb5c8cd89 in H5G_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:843\n #15 0xb60491f8 in H5Literate_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5L.c:1254\n #16 0x81d87fc in traverse /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:315\n #17 0x81e3735 in h5trav_visit /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\n #18 0x80de12b in visit_obj /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2390\n #19 0x80d4e1f in main /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2880\n #20 0xb5096a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n #21 0x80ce814 in _start (/home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/.libs/lt-h5ls+0x80ce814)\n \n 0xb3d08b14 is located 0 bytes to the right of 4-byte region [0xb3d08b10,0xb3d08b14)\n allocated by thread T0 here:\n #0 0x80b7441 in malloc (/home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/.libs/lt-h5ls+0x80b7441)\n #1 0xb60beeca in H5MM_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5MM.c:66\n #2 0xb5b3744c in H5FL_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5FL.c:199\n #3 0xb5b361c2 in H5FL_reg_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5FL.c:399\n #4 0xb638d7c2 in H5O_mtime_decode /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omtime.c:246\n #5 0xb63610ec in H5O_msg_read_oh /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545\n #6 0xb60e96ee in H5O_get_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:2837\n #7 0xb5cb2252 in H5G_loc_info_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:701\n #8 0xb5d79bc4 in H5G_traverse_real /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:640\n #9 0xb5d74f1a in H5G_traverse /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:860\n #10 0xb5cb10de in H5G_loc_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:746\n #11 0xb60e336a in H5Oget_info_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:656\n #12 0x81ec049 in traverse_cb /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:222\n #13 0xb5c8e87a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:782\n #14 0xb5ce9cd2 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\n #15 0xb54dcfe5 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\n #16 0xb54daa3b in H5B_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\n #17 0xb5d42a23 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\n #18 0xb5d0dd52 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\n #19 0xb5c8cd89 in H5G_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:843\n #20 0xb60491f8 in H5Literate_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5L.c:1254\n #21 0x81d87fc in traverse /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:315\n #22 0x81e3735 in h5trav_visit /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\n #23 0x80de12b in visit_obj /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2390\n #24 0x80d4e1f in main /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2880\n #25 0xb5096a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545 H5O_msg_read_oh\n Shadow bytes around the buggy address:\n 0x367a1110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x367a1120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x367a1130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x367a1140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x367a1150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x367a1160: fa fa[04]fa fa fa 00 fa fa fa 00 07 fa fa 00 04\n 0x367a1170: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04\n 0x367a1180: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 fa\n 0x367a1190: fa fa 00 01 fa fa 00 fa fa fa fd fd fa fa fd fa\n 0x367a11a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd\n 0x367a11b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Heap right redzone: fb\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack partial redzone: f4\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n ASan internal: fe\n ==30927==ABORTING\n \n\n### Timeline\n\n2016-05-08 - Discovery \n2016-05-17 - Vendor Notification \n2016-11-15 - Public Disclosure \n\n\n### References\n\n[1] https://en.wikipedia.org/wiki/Hierarchical_Data_Format \n[2] http://www.hdfgroup.org/HDF5/\n\n##### Credit\n\nDiscovered by Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0177\n\nPrevious Report\n\nTALOS-2016-0179\n", "edition": 10, "modified": "2016-11-17T00:00:00", "published": "2016-11-17T00:00:00", "id": "TALOS-2016-0178", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0178", "title": "HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T21:25:12", "bulletinFamily": "info", "cvelist": ["CVE-2016-4330"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0176\n\n## HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability\n\n##### November 17, 2016\n\n##### CVE Number\n\nCVE-2016-4330\n\n### Description\n\nHDF5 is a fileformat that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS. The vulnerability exists due to the library\u2019s failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.\n\n### Tested Versions\n\nhdf5-1.8.16.tar.bz2 \ntools/h5ls: Version 1.8.16 \ntools/h5stat: Version 1.8.16 \ntools/h5dump: Version 1.8.16 \n\n\n### Product Urls\n\nhttp://www.hdfgroup.org/HDF5/ \nhttp://www.hdfgroup.org/HDF5/release/obtainsrc.html&lt;/br&gt; http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2\n\n### CVSSv3 Score\n\n8.6 \u2013 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n\n### Details\n\nThe HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These datastructures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a filesystem, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that\u2019s able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset.\n\nWithin the HDF file format, paths can be specified as the \u2018/\u2019-separated posix format. When reading a dataset, the library will open the object using H5D__open_oid. Inside this function, the library will read the type and it\u2019s location. Once the type and it\u2019s location are read, then the library will pass the H5O_DTYPE_ID value onto H5O_msg_read.\n \n \n src/H5Dint.c:1221\n \n static herr_t\n \n H5D__open_oid(H5D_t *dataset, hid_t dapl_id, hid_t dxpl_id)\n \n {\n \n \n \n /* Open the dataset object */\n \n if(H5O_open(&(dataset->oloc)) < 0)\n \n HGOTO_ERROR(H5E_DATASET, H5E_CANTOPENOBJ, FAIL, \"unable to open\")\n \n \n \n /* Get the type and space */\n \n if(NULL == (dataset->shared->type = (H5T_t *)H5O_msg_read(&(dataset->oloc), H5O_DTYPE_ID, NULL, dxpl_id))) // XXX: \\\n \n HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, \"unable to load type info from dataset header\")\n \n \\\n \n src/H5Omessage.c:463\n \n void *\n \n H5O_msg_read(const H5O_loc_t *loc, unsigned type_id, void *mesg,\n \n hid_t dxpl_id)\n \n {\n \n H5O_t *oh = NULL; /* Object header to use */\n \n void *ret_value; /* Return value */\n \n \n \n \n \n \n \n /* Get the object header */\n \n if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ)))\n \n HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, NULL, \"unable to protect object header\")\n \n \n \n /* Call the \"real\" read routine */\n \n if(NULL == (ret_value = H5O_msg_read_oh(loc->file, dxpl_id, oh, type_id, mesg))) // XXX: read the message from the object header\n \n HGOTO_ERROR(H5E_OHDR, H5E_READERROR, NULL, \"unable to read object header message\")\n \n\nInside H5O_msg_read_oh, the application will use the type_id argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5O_LOAD_NATIVE at H5Omessage.c:545\n \n \n src/H5Omessage.c:517\n \n void *\n \n H5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id,\n \n void *mesg)\n \n {\n \n const H5O_msg_class_t *type; /* Actual H5O class type for the ID */\n \n unsigned idx; /* Message's index in object header */\n \n void *ret_value = NULL;\n \n \n \n for(idx = 0; idx < oh->nmesgs; idx++)\n \n if(type == oh->mesg[idx].type)\n \n break;\n \n \n \n H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL)\n \n\nInside the H5O_LOAD_NATIVE macro, the application will select a structure containing function pointers out of the msg-&gt;type field. This structure contains various functions that are used to decode the message. When decoding a msg of type H5O_DTYPE_ID, the library will dispatch into the H5O_dtype_shared_decode function. This function will eventually call H5O_dtype_decode. Inside H5O_dtype_decode, the library will first allocate space using the call H5T__alloc. Afterwards, execution will continue onto H5O_dtype_decode_helper which is responsible for decoding the datatypes.\n \n \n src/H5Oshared.h:50\n \n static H5_INLINE void *\n \n H5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags,\n \n unsigned *ioflags, const uint8_t *p)\n \n {\n \n \n \n /* Decode native message directly */\n \n if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p))) // XXX: \\\n \n HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, \"unable to decode native message\")\n \n } /* end else */\n \n \\\n \n src/H5Odtype.c:1091\n \n static void *\n \n H5O_dtype_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,\n \n unsigned *ioflags/*in,out*/, const uint8_t *p)\n \n {\n \n \n \n /* Allocate datatype message */\n \n if(NULL == (dt = H5T__alloc()))\n \n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\n \n \n \n /* Perform actual decode of message */\n \n if(H5O_dtype_decode_helper(f, ioflags, &p, dt) < 0)\n \n HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, \"can't decode type\")\n \n \n \n Inside H5T__alloc, the library will allocate space for an H5T_shared_t object. This structure is defined within H5Tpkg.h at line 288. The vulnerability is due to the definition of the H5T_array_t field within the union u. The H5T_array_t structure defines an H5S_MAX_RANK element array of size_t fields. Defined in src/H5public.h:31, this length is 32.\n \n \n \n src/H5T.c:3446\n \n H5T_t *\n \n H5T__alloc(void)\n \n {\n \n \n \n /* Allocate & initialize shared datatype structure */\n \n if(NULL == (dt->shared = H5FL_CALLOC(H5T_shared_t))) // XXX: sizeof(H5T_shared_t)\n \n HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, \"memory allocation failed\")\n \n \n \n src/H5Spublic.h:31\n \n #define H5S_MAX_RANK 32\n \n \n \n src/H5Tpkg.h:288\n \n typedef struct H5T_shared_t {\n \n \n \n union {\n \n \n \n H5T_array_t\tarray; /* an array datatype */\n \n } u;\n \n } H5T_shared_t;\n \n \n \n src/H5Tpkg.h:273\n \n typedef struct H5T_array_t {\n \n size_t\tnelem;\t\t/* total number of elements in array */\n \n unsigned\tndims;\t\t/* member dimensionality */\n \n size_t\tdim[H5S_MAX_RANK]; /* size in each dimension */ // XXX: maximum of 32\n \n } H5T_array_t;\n \n\nAfter allocating space for the H5T_array_t, the library will return back to H5O_dtype_decode which will then execute the function H5O_dtype_decode_helper. When entering the case H5T_ARRAY, the library will read the number of dimensions from the file and then check that it\u2019s valid via an assertion. Due to an assertion being only enabled when the application is compiled in debug-mode, this check will get optimized out by the preprocessor. Immediately following, the library will enter a loop that reads DWORDs from the file into the H5T_array_t.dim field. If the value of u.array.ndims is larger than 32, then this loop will read data outside the bounds of the H5T_array_t that was allocated earlier. This will lead to heap corruption and can lead to code execution under the context of the application using the library.\n \n \n src/H5Odtype.c:133\n \n static htri_t\n \n H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags/*in,out*/, const uint8_t **pp, H5T_t *dt)\n \n {\n \n \n \n case H5T_ARRAY: /* Array datatypes */\n \n /* Decode the number of dimensions */\n \n dt->shared->u.array.ndims = *(*pp)++;\n \n \n \n /* Double-check the number of dimensions */\n \n HDassert(dt->shared->u.array.ndims <= H5S_MAX_RANK);\n \n \n \n /* Decode array dimension sizes & compute number of elements */\n \n for(i = 0, dt->shared->u.array.nelem = 1; i < (unsigned)dt->shared->u.array.ndims; i++) {\n \n UINT32DECODE(*pp, dt->shared->u.array.dim[i]);\n \n dt->shared->u.array.nelem *= dt->shared->u.array.dim[i];\n \n } /* end for */\n \n\n### Crash Analysis\n \n \n $ gdb -q --args bin/h5stat poc.hdf\n \n No symbol table is loaded. Use the \"file\" command.\n \n Reading symbols from $HOME/hdf5-1.8.16/release/bin/h5stat...done.\n \n (gdb) bp H5Odtype.c:518\n \n Breakpoint 3 at 0x8147cb0: file ../../src/H5Odtype.c, line 518.\n \n (gdb) bp H5Odtype.c:528 i < 0x1f\n \n Breakpoint 4 at 0x8147cc9: file ../../src/H5Odtype.c, line 528.\n \n (gdb) r\n \n Starting program: $HOME/hdf5-1.8.16/release/bin/h5stat poc.hdf\n \n Filename: poc.hdf\n \n \n \n Breakpoint 3, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:518\n \n 518 dt->shared->u.array.ndims = *(*pp)++;\n \n (gdb) n\n \n 524 if(version < H5O_DTYPE_VERSION_3)\n \n (gdb) n\n \n 518 dt->shared->u.array.ndims = *(*pp)++;\n \n (gdb) n\n \n 524 if(version < H5O_DTYPE_VERSION_3)\n \n (gdb) p dt->shared->u.array.ndims\n \n $1 = 0x69\n \n (gdb) c\n \n Continuing.\n \n \n \n *** Error in `$HOME/hdf5-1.8.16/release/bin/h5stat': free(): invalid pointer: 0x083f21e1 ***\n \n \n \n Catchpoint 2 (signal SIGABRT), 0xb7ffecb0 in ?? ()\n \n (gdb)\n \n \n \n ### Crash Analysis (Address Sanitizer)\n \n =================================================================\n \n ==2398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2b20938 at pc 0xb626a9fe bp 0xbfb6d5d8 sp 0xbfb6d5d0\n \n WRITE of size 4 at 0xb2b20938 thread T0\n \n #0 0xb626a9fd in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:529\n \n #1 0xb6252881 in H5O_dtype_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:1108\n \n #2 0xb621efd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Oshared.h:84\n \n #3 0xb62faa5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:554\n \n #4 0xb62f88a6 in H5O_msg_read $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:483\n \n #5 0xb5798b96 in H5D__open_oid $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1245\n \n #6 0xb5795df7 in H5D_open $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1153\n \n #7 0xb563b3f9 in H5Dopen2 $HOME/hdf5-1.8.16/asan/src/../../src/H5D.c:368\n \n #8 0x825351d in find_objs_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:580\n \n #9 0x8270c4d in traverse_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:237\n \n #10 0xb5c2f66a in H5G_visit_cb $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:939\n \n #11 0xb5c83a72 in H5G__node_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\n \n #12 0xb5477c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\n \n #13 0xb54756db in H5B_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\n \n #14 0xb5cdc773 in H5G__stab_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\n \n #15 0xb5ca7af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\n \n #16 0xb5c2cbe2 in H5G_visit $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:1174\n \n #17 0xb5fe7f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/asan/src/../../src/H5L.c:1378\n \n #18 0x825c8fe in traverse $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:310\n \n #19 0x82679c5 in h5trav_visit $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\n \n #20 0x82522c4 in init_objs $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:655\n \n #21 0x80cf3b7 in table_list_add $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:408\n \n #22 0x80d12c1 in main $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:1470\n \n #23 0xb5033a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n \n #24 0x80cec04 in _start ($HOME/hdf5-1.8.16/asan/bin/h5dump+0x80cec04)\n \n \n \n 0xb2b20938 is located 0 bytes to the right of 168-byte region [0xb2b20890,0xb2b20938)\n \n allocated by thread T0 here:\n \n #0 0x80b791e in calloc ($HOME/hdf5-1.8.16/asan/bin/h5dump+0x80b791e)\n \n #1 0xb6058d5b in H5MM_calloc $HOME/hdf5-1.8.16/asan/src/../../src/H5MM.c:107\n \n #2 0xb6947712 in H5T__alloc $HOME/hdf5-1.8.16/asan/src/../../src/H5T.c:3462\n \n #3 0xb62523b8 in H5O_dtype_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:1104\n \n #4 0xb621efd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Oshared.h:84\n \n #5 0xb62faa5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:554\n \n #6 0xb62f88a6 in H5O_msg_read $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:483\n \n #7 0xb5798b96 in H5D__open_oid $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1245\n \n #8 0xb5795df7 in H5D_open $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1153\n \n #9 0xb563b3f9 in H5Dopen2 $HOME/hdf5-1.8.16/asan/src/../../src/H5D.c:368\n \n #10 0x825351d in find_objs_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:580\n \n #11 0x8270c4d in traverse_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:237\n \n #12 0xb5c2f66a in H5G_visit_cb $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:939\n \n #13 0xb5c83a72 in H5G__node_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026\n \n #14 0xb5477c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1175\n \n #15 0xb54756db in H5B_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1220\n \n #16 0xb5cdc773 in H5G__stab_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565\n \n #17 0xb5ca7af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707\n \n #18 0xb5c2cbe2 in H5G_visit $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:1174\n \n #19 0xb5fe7f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/asan/src/../../src/H5L.c:1378\n \n #20 0x825c8fe in traverse $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:310\n \n #21 0x82679c5 in h5trav_visit $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164\n \n #22 0x82522c4 in init_objs $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:655\n \n #23 0x80cf3b7 in table_list_add $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:408\n \n #24 0x80d12c1 in main $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:1470\n \n #25 0xb5033a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n \n \n \n SUMMARY: AddressSanitizer: heap-buffer-overflow $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:529 H5O_dtype_decode_helper\n \n\n### Timeline\n\n2016-05-08 - Discovery \n\n\n2016-05-17 - Vendor Notification \n\n\n2016-11-15 - Public Disclosure\n\n### References\n\n[1] https://en.wikipedia.org/wiki/Hierarchical_Data_Format \n\n\n[2] http://www.hdfgroup.org/HDF5/\n\n##### Credit\n\nDiscovered by Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0260\n\nPrevious Report\n\nTALOS-2016-0177\n", "edition": 13, "modified": "2016-11-17T00:00:00", "published": "2016-11-17T00:00:00", "id": "TALOS-2016-0176", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0176", "title": "HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}]}