hdf5 - Debian Package Tracker

general

source: hdf5 (main)
version: 1.14.5+repack-3
maintainer: Gilles Filippini (DMD)
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.10.4+repack-10
o-o-sec: 1.10.4+repack-10+deb10u1
oldstable: 1.10.6+repack-4+deb11u1
stable: 1.10.8+repack1-1
testing: 1.14.5+repack-3
unstable: 1.14.5+repack-3

versioned links

1.10.4+repack-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.4+repack-10+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.6+repack-4+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.8+repack1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.14.5+repack-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

hdf5-helpers
hdf5-tools (4 bugs: 0, 4, 0, 0)
libhdf5-310
libhdf5-cpp-310
libhdf5-dev (2 bugs: 0, 2, 0, 0)
libhdf5-doc
libhdf5-fortran-310
libhdf5-hl-310
libhdf5-hl-cpp-310
libhdf5-hl-fortran-310
libhdf5-java
libhdf5-jni
libhdf5-mpi-dev
libhdf5-mpich-310
libhdf5-mpich-cpp-310
libhdf5-mpich-dev
libhdf5-mpich-fortran-310
libhdf5-mpich-hl-310
libhdf5-mpich-hl-cpp-310
libhdf5-mpich-hl-fortran-310
libhdf5-openmpi-310
libhdf5-openmpi-cpp-310
libhdf5-openmpi-dev (2 bugs: 0, 2, 0, 0)
libhdf5-openmpi-fortran-310
libhdf5-openmpi-hl-310
libhdf5-openmpi-hl-cpp-310
libhdf5-openmpi-hl-fortran-310

action needed

A new upstream version is available: 1.14.6 high

A new upstream version 1.14.6 is available, you should consider packaging it.

Created: 2025-02-06 Last update: 2025-04-25 00:02

12 security issues in sid high

There are 12 open security issues in sid.

12 important issues:

CVE-2025-2153: A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2025-2308: A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2309: A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2310: A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2912: A vulnerability was found in HDF5 up to 1.14.6. It has been declared as problematic. Affected by this vulnerability is the function H5O_msg_flush of the file src/H5Omessage.c. The manipulation of the argument oh leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2913: A vulnerability was found in HDF5 up to 1.14.6. It has been rated as problematic. Affected by this issue is the function H5FL__blk_gc_list of the file src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2914: A vulnerability classified as problematic has been found in HDF5 up to 1.14.6. This affects the function H5FS__sinfo_Srialize_Sct_cb of the file src/H5FScache.c. The manipulation of the argument sect leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
CVE-2025-2915: A vulnerability classified as problematic was found in HDF5 up to 1.14.6. This vulnerability affects the function H5F__accum_free of the file src/H5Faccum.c. The manipulation of the argument overlap_size leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVE-2025-2923: A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5F_addr_encode_len of the file src/H5Fint.c. The manipulation of the argument pp leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVE-2025-2924: A vulnerability, which was classified as problematic, was found in HDF5 up to 1.14.6. This affects the function H5HL__fl_deserialize of the file src/H5HLcache.c. The manipulation of the argument free_block leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
CVE-2025-2925: A vulnerability has been found in HDF5 up to 1.14.6 and classified as problematic. This vulnerability affects the function H5MM_realloc of the file src/H5MM.c. The manipulation of the argument mem leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2926: A vulnerability was found in HDF5 up to 1.14.6 and classified as problematic. This issue affects the function H5O__cache_chk_serialize of the file src/H5Ocache.c. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Created: 2025-03-11 Last update: 2025-04-22 13:02

54 security issues in bullseye high

There are 54 open security issues in bullseye.

12 important issues:

CVE-2025-2153: A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2025-2308: A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2309: A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2310: A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2912: A vulnerability was found in HDF5 up to 1.14.6. It has been declared as problematic. Affected by this vulnerability is the function H5O_msg_flush of the file src/H5Omessage.c. The manipulation of the argument oh leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2913: A vulnerability was found in HDF5 up to 1.14.6. It has been rated as problematic. Affected by this issue is the function H5FL__blk_gc_list of the file src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2914: A vulnerability classified as problematic has been found in HDF5 up to 1.14.6. This affects the function H5FS__sinfo_Srialize_Sct_cb of the file src/H5FScache.c. The manipulation of the argument sect leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
CVE-2025-2915: A vulnerability classified as problematic was found in HDF5 up to 1.14.6. This vulnerability affects the function H5F__accum_free of the file src/H5Faccum.c. The manipulation of the argument overlap_size leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVE-2025-2923: A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5F_addr_encode_len of the file src/H5Fint.c. The manipulation of the argument pp leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVE-2025-2924: A vulnerability, which was classified as problematic, was found in HDF5 up to 1.14.6. This affects the function H5HL__fl_deserialize of the file src/H5HLcache.c. The manipulation of the argument free_block leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
CVE-2025-2925: A vulnerability has been found in HDF5 up to 1.14.6 and classified as problematic. This vulnerability affects the function H5MM_realloc of the file src/H5MM.c. The manipulation of the argument mem leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2926: A vulnerability was found in HDF5 up to 1.14.6 and classified as problematic. This issue affects the function H5O__cache_chk_serialize of the file src/H5Ocache.c. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

42 issues postponed or untriaged:

CVE-2019-8396: (needs triaging) A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka "Invalid write of size 2."
CVE-2019-8398: (needs triaging) An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c.
CVE-2018-11205: (needs triaging) A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service or information disclosure attack.
CVE-2018-11206: (needs triaging) An out of bounds read was discovered in H5O_fill_new_decode and H5O_fill_old_decode in H5Ofill.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service or information disclosure attack.
CVE-2022-25942: (postponed; to be fixed through a stable update) An out-of-bounds read vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-25972: (postponed; to be fixed through a stable update) An out-of-bounds write vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-26061: (postponed; to be fixed through a stable update) A heap-based buffer overflow vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2024-29157: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29158: (needs triaging) HDF5 through 1.14.3 contains a stack buffer overflow in H5FL_arr_malloc, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29159: (needs triaging) HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29160: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5HG__cache_heap_deserialize, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29161: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5A__attr_release_table, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29162: (needs triaging) HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow in H5HG_read, resulting in denial of service or potential code execution.
CVE-2024-29163: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5T__bit_find, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29164: (needs triaging) HDF5 through 1.14.3 contains a stack buffer overflow in H5R__decode_heap, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29165: (needs triaging) HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_fletcher32, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29166: (needs triaging) HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-32605: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer over-read in H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in H5Dcompact.c).
CVE-2024-32606: (needs triaging) HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from h5tools_dump_simple_data in tools/lib/h5tools_dump.c).
CVE-2024-32607: (needs triaging) HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, resulting in the corruption of the instruction pointer.
CVE-2024-32608: (needs triaging) HDF5 library through 1.14.3 has memory corruption in H5A__close resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-32609: (needs triaging) HDF5 Library through 1.14.3 allows stack consumption in the function H5E_printf_stack in H5Eint.c.
CVE-2024-32610: (needs triaging) HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, resulting in a corrupted instruction pointer.
CVE-2024-32611: (needs triaging) HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.
CVE-2024-32612: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption of the instruction pointer, a different vulnerability than CVE-2024-32613.
CVE-2024-32613: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in the function H5HL__fl_deserialize in H5HLcache.c, a different vulnerability than CVE-2024-32612.
CVE-2024-32614: (needs triaging) HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c.
CVE-2024-32615: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier use of an initialized pointer.
CVE-2024-32616: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5O__dtype_encode_helper in H5Odtype.c.
CVE-2024-32617: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called from H5G__ent_to_link in H5Glink.c).
CVE-2024-32618: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__get_native_type in H5Tnative.c, resulting in the corruption of the instruction pointer.
CVE-2024-32619: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer.
CVE-2024-32620: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of the instruction pointer.
CVE-2024-32621: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5HG_read in H5HG.c (called from H5VL__native_blob_get in H5VLnative_blob.c), resulting in the corruption of the instruction pointer.
CVE-2024-32622: (needs triaging) HDF5 Library through 1.14.3 contains a out-of-bounds read operation in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in H5S.c).
CVE-2024-32623: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5VM_array_fill in H5VM.c (called from H5S_select_elements in H5Spoint.c).
CVE-2024-32624: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in H5Tconv.c), resulting in the corruption of the instruction pointer.
CVE-2024-33873: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5D__scatter_mem in H5Dscatgath.c.
CVE-2024-33874: (needs triaging) HDF5 Library through 1.14.3 has a heap buffer overflow in H5O__mtime_new_encode in H5Omtime.c.
CVE-2024-33875: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5O__layout_encode in H5Olayout.c, resulting in the corruption of the instruction pointer.
CVE-2024-33876: (needs triaging) HDF5 Library through 1.14.3 has a heap buffer overflow in H5S__point_deserialize in H5Spoint.c.
CVE-2024-33877: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5T__conv_struct_opt in H5Tconv.c.

Created: 2025-03-11 Last update: 2025-04-22 13:02

41 security issues in buster high

There are 41 open security issues in buster.

35 important issues:

CVE-2024-29157: HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29158: HDF5 through 1.14.3 contains a stack buffer overflow in H5FL_arr_malloc, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29159: HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29160: HDF5 through 1.14.3 contains a heap buffer overflow in H5HG__cache_heap_deserialize, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29161: HDF5 through 1.14.3 contains a heap buffer overflow in H5A__attr_release_table, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29162: HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow in H5HG_read, resulting in denial of service or potential code execution.
CVE-2024-29163: HDF5 through 1.14.3 contains a heap buffer overflow in H5T__bit_find, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29164: HDF5 through 1.14.3 contains a stack buffer overflow in H5R__decode_heap, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29165: HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_fletcher32, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29166: HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-32605: HDF5 Library through 1.14.3 has a heap-based buffer over-read in H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in H5Dcompact.c).
CVE-2024-32606: HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from h5tools_dump_simple_data in tools/lib/h5tools_dump.c).
CVE-2024-32607: HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, resulting in the corruption of the instruction pointer.
CVE-2024-32608:
CVE-2024-32609: HDF5 Library through 1.14.3 allows stack consumption in the function H5E_printf_stack in H5Eint.c.
CVE-2024-32610: HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, resulting in a corrupted instruction pointer.
CVE-2024-32611: HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.
CVE-2024-32612: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption of the instruction pointer, a different vulnerability than CVE-2024-32613.
CVE-2024-32613: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in the function H5HL__fl_deserialize in H5HLcache.c, a different vulnerability than CVE-2024-32612.
CVE-2024-32614: HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c.
CVE-2024-32615: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier use of an initialized pointer.
CVE-2024-32616: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5O__dtype_encode_helper in H5Odtype.c.
CVE-2024-32617: HDF5 Library through 1.14.3 contains a heap-based buffer over-read caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called from H5G__ent_to_link in H5Glink.c).
CVE-2024-32618: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__get_native_type in H5Tnative.c, resulting in the corruption of the instruction pointer.
CVE-2024-32619: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer.
CVE-2024-32620: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of the instruction pointer.
CVE-2024-32621: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5HG_read in H5HG.c (called from H5VL__native_blob_get in H5VLnative_blob.c), resulting in the corruption of the instruction pointer.
CVE-2024-32622: HDF5 Library through 1.14.3 contains a out-of-bounds read operation in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in H5S.c).
CVE-2024-32623: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5VM_array_fill in H5VM.c (called from H5S_select_elements in H5Spoint.c).
CVE-2024-32624: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in H5Tconv.c), resulting in the corruption of the instruction pointer.
CVE-2024-33873: HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5D__scatter_mem in H5Dscatgath.c.
CVE-2024-33874: HDF5 Library through 1.14.3 has a heap buffer overflow in H5O__mtime_new_encode in H5Omtime.c.
CVE-2024-33875: HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5O__layout_encode in H5Olayout.c, resulting in the corruption of the instruction pointer.
CVE-2024-33876: HDF5 Library through 1.14.3 has a heap buffer overflow in H5S__point_deserialize in H5Spoint.c.
CVE-2024-33877: HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5T__conv_struct_opt in H5Tconv.c.

6 issues postponed or untriaged:

CVE-2019-8396: (needs triaging) A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka "Invalid write of size 2."
CVE-2019-8398: (needs triaging) An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c.
CVE-2018-11205: (needs triaging) A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service or information disclosure attack.
CVE-2022-25942: (postponed; to be fixed through a stable update) An out-of-bounds read vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-25972: (postponed; to be fixed through a stable update) An out-of-bounds write vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-26061: (postponed; to be fixed through a stable update) A heap-based buffer overflow vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

Created: 2024-05-10 Last update: 2024-06-23 09:00

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit f01786b067fbee06f82ae2f41d6dcec9f3aee8d1
Author: Dylan Aïssi <daissi@debian.org>
Date:   Wed Apr 2 15:53:38 2025 +0200

    d/source/format: drop duplicated line

Created: 2025-04-02 Last update: 2025-04-24 13:33

lintian reports 63 warnings normal

Lintian reports 63 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-07-29 Last update: 2025-04-10 23:00

53 low-priority security issues in bookworm low

There are 53 open security issues in bookworm.

53 issues left for the package maintainer to handle:

CVE-2019-8396: (needs triaging) A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka "Invalid write of size 2."
CVE-2019-8398: (needs triaging) An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c.
CVE-2025-2153: (postponed; to be fixed through a stable update) A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2025-2308: (postponed; to be fixed through a stable update) A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2309: (postponed; to be fixed through a stable update) A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2310: (postponed; to be fixed through a stable update) A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about a batch of vulnerabilities. His response was "reject" without further explanation. We have not received an elaboration even after asking politely for further details. Currently we assume that the vendor wants to "dispute" the entries which is why they are flagged as such until further details become available.
CVE-2025-2912: (postponed; to be fixed through a stable update) A vulnerability was found in HDF5 up to 1.14.6. It has been declared as problematic. Affected by this vulnerability is the function H5O_msg_flush of the file src/H5Omessage.c. The manipulation of the argument oh leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2913: (postponed; to be fixed through a stable update) A vulnerability was found in HDF5 up to 1.14.6. It has been rated as problematic. Affected by this issue is the function H5FL__blk_gc_list of the file src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2914: (postponed; to be fixed through a stable update) A vulnerability classified as problematic has been found in HDF5 up to 1.14.6. This affects the function H5FS__sinfo_Srialize_Sct_cb of the file src/H5FScache.c. The manipulation of the argument sect leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
CVE-2025-2915: (postponed; to be fixed through a stable update) A vulnerability classified as problematic was found in HDF5 up to 1.14.6. This vulnerability affects the function H5F__accum_free of the file src/H5Faccum.c. The manipulation of the argument overlap_size leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVE-2025-2923: (postponed; to be fixed through a stable update) A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5F_addr_encode_len of the file src/H5Fint.c. The manipulation of the argument pp leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVE-2025-2924: (postponed; to be fixed through a stable update) A vulnerability, which was classified as problematic, was found in HDF5 up to 1.14.6. This affects the function H5HL__fl_deserialize of the file src/H5HLcache.c. The manipulation of the argument free_block leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
CVE-2025-2925: (postponed; to be fixed through a stable update) A vulnerability has been found in HDF5 up to 1.14.6 and classified as problematic. This vulnerability affects the function H5MM_realloc of the file src/H5MM.c. The manipulation of the argument mem leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-2926: (postponed; to be fixed through a stable update) A vulnerability was found in HDF5 up to 1.14.6 and classified as problematic. This issue affects the function H5O__cache_chk_serialize of the file src/H5Ocache.c. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2018-11205: (needs triaging) A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service or information disclosure attack.
CVE-2022-25942: (postponed; to be fixed through a stable update) An out-of-bounds read vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-25972: (postponed; to be fixed through a stable update) An out-of-bounds write vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-26061: (postponed; to be fixed through a stable update) A heap-based buffer overflow vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2024-29157: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29158: (needs triaging) HDF5 through 1.14.3 contains a stack buffer overflow in H5FL_arr_malloc, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29159: (needs triaging) HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29160: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5HG__cache_heap_deserialize, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29161: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5A__attr_release_table, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29162: (needs triaging) HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow in H5HG_read, resulting in denial of service or potential code execution.
CVE-2024-29163: (needs triaging) HDF5 through 1.14.3 contains a heap buffer overflow in H5T__bit_find, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29164: (needs triaging) HDF5 through 1.14.3 contains a stack buffer overflow in H5R__decode_heap, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29165: (needs triaging) HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_fletcher32, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-29166: (needs triaging) HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-32605: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer over-read in H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in H5Dcompact.c).
CVE-2024-32606: (needs triaging) HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from h5tools_dump_simple_data in tools/lib/h5tools_dump.c).
CVE-2024-32607: (needs triaging) HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, resulting in the corruption of the instruction pointer.
CVE-2024-32608: (needs triaging) HDF5 library through 1.14.3 has memory corruption in H5A__close resulting in the corruption of the instruction pointer and causing denial of service or potential code execution.
CVE-2024-32609: (needs triaging) HDF5 Library through 1.14.3 allows stack consumption in the function H5E_printf_stack in H5Eint.c.
CVE-2024-32610: (needs triaging) HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, resulting in a corrupted instruction pointer.
CVE-2024-32611: (needs triaging) HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.
CVE-2024-32612: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption of the instruction pointer, a different vulnerability than CVE-2024-32613.
CVE-2024-32613: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in the function H5HL__fl_deserialize in H5HLcache.c, a different vulnerability than CVE-2024-32612.
CVE-2024-32614: (needs triaging) HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c.
CVE-2024-32615: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier use of an initialized pointer.
CVE-2024-32616: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5O__dtype_encode_helper in H5Odtype.c.
CVE-2024-32617: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called from H5G__ent_to_link in H5Glink.c).
CVE-2024-32618: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__get_native_type in H5Tnative.c, resulting in the corruption of the instruction pointer.
CVE-2024-32619: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer.
CVE-2024-32620: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of the instruction pointer.
CVE-2024-32621: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5HG_read in H5HG.c (called from H5VL__native_blob_get in H5VLnative_blob.c), resulting in the corruption of the instruction pointer.
CVE-2024-32622: (needs triaging) HDF5 Library through 1.14.3 contains a out-of-bounds read operation in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in H5S.c).
CVE-2024-32623: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5VM_array_fill in H5VM.c (called from H5S_select_elements in H5Spoint.c).
CVE-2024-32624: (needs triaging) HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in H5Tconv.c), resulting in the corruption of the instruction pointer.
CVE-2024-33873: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5D__scatter_mem in H5Dscatgath.c.
CVE-2024-33874: (needs triaging) HDF5 Library through 1.14.3 has a heap buffer overflow in H5O__mtime_new_encode in H5Omtime.c.
CVE-2024-33875: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5O__layout_encode in H5Olayout.c, resulting in the corruption of the instruction pointer.
CVE-2024-33876: (needs triaging) HDF5 Library through 1.14.3 has a heap buffer overflow in H5S__point_deserialize in H5Spoint.c.
CVE-2024-33877: (needs triaging) HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5T__conv_struct_opt in H5Tconv.c.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2025-04-22 13:02

debian/patches: 10 patches to forward upstream low

Among the 10 debian patches available in version 1.14.5+repack-3 of the package, we noticed the following issues:

10 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-01-06 08:04

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2025-01-06 Last update: 2025-01-06 05:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.5.0).

Created: 2020-11-17 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-01-11] hdf5 1.14.5+repack-3 MIGRATED to testing (Debian testing watch)
[2025-01-05] Accepted hdf5 1.14.5+repack-3 (source) into unstable (Gilles Filippini)
[2025-01-05] Accepted hdf5 1.14.5+repack-3~exp4 (source) into experimental (Gilles Filippini)
[2025-01-04] Accepted hdf5 1.14.5+repack-3~exp3 (source) into experimental (Gilles Filippini)
[2025-01-03] Accepted hdf5 1.14.5+repack-3~exp2 (source) into experimental (Gilles Filippini)
[2025-01-03] Accepted hdf5 1.14.5+repack-3~exp1 (source) into experimental (Gilles Filippini)
[2024-12-30] Accepted hdf5 1.14.5+repack-2 (source) into unstable (Gilles Filippini)
[2024-12-24] hdf5 1.14.5+repack-1 MIGRATED to testing (Debian testing watch)
[2024-12-10] Accepted hdf5 1.14.5+repack-1 (source) into unstable (Gilles Filippini)
[2024-12-05] hdf5 1.10.10+repack-5 MIGRATED to testing (Debian testing watch)
[2024-11-28] Accepted hdf5 1.14.5+repack-1~exp6 (source) into experimental (Gilles Filippini)
[2024-11-28] Accepted hdf5 1.10.10+repack-5 (source) into unstable (Gilles Filippini)
[2024-11-21] Accepted hdf5 1.14.5+repack-1~exp5 (source) into experimental (Gilles Filippini)
[2024-11-20] Accepted hdf5 1.14.5+repack-1~exp4 (source) into experimental (Gilles Filippini)
[2024-11-19] Accepted hdf5 1.14.5+repack-1~exp3 (source) into experimental (Gilles Filippini)
[2024-11-18] Accepted hdf5 1.14.5+repack-1~exp2 (source) into experimental (Gilles Filippini)
[2024-10-27] Accepted hdf5 1.14.5+repack-1~exp1 (source) into experimental (Gilles Filippini)
[2024-08-20] Accepted hdf5 1.14.4.3+repack-1~exp3 (source) into experimental (Gilles Filippini)
[2024-08-03] hdf5 1.10.10+repack-4 MIGRATED to testing (Debian testing watch)
[2024-07-28] Accepted hdf5 1.10.10+repack-4 (source) into unstable (Gilles Filippini)
[2024-07-02] Accepted hdf5 1.14.4.3+repack-1~exp2 (source) into experimental (Gilles Filippini)
[2024-06-28] Accepted hdf5 1.14.4.3+repack-1~exp1 (source) into experimental (Gilles Filippini)
[2024-05-07] hdf5 1.10.10+repack-3.3 MIGRATED to testing (Debian testing watch)
[2024-04-12] Accepted hdf5 1.14.3+repack1-1~exp3 (source) into experimental (Gilles Filippini)
[2024-03-29] Accepted hdf5 1.10.10+repack-3.3 (source) into unstable (Andrey Rakhmatullin) (signed by: Andrey Rahmatullin)
[2024-03-26] Accepted hdf5 1.10.10+repack-3.2 (source) into unstable (Andrey Rakhmatullin) (signed by: Andrey Rahmatullin)
[2024-03-18] Accepted hdf5 1.14.3+repack1-1~exp2 (source) into experimental (Gilles Filippini)
[2024-03-17] Accepted hdf5 1.14.3+repack-1~exp1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Gilles Filippini)
[2024-03-01] Accepted hdf5 1.10.10+repack-3.1 (source) into unstable (Steve Langasek)
[2023-10-23] hdf5 1.10.10+repack-3 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 22
RC: 0
I&N: 20
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 63)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.14.5+repack-3
17 bugs (1 patch)