Multiple ZDI issues

[sebastic]

ZDI reported several issues, but has gotten no feedback on them according to their reports.

Can we expect a 4.9.4 release with the fixes for those issues, or do we need to wait for 4.10.0?

Issues in question:

• https://security-tracker.debian.org/tracker/CVE-2025-14932
• https://security-tracker.debian.org/tracker/CVE-2025-14933
• https://security-tracker.debian.org/tracker/CVE-2025-14934
• https://security-tracker.debian.org/tracker/CVE-2025-14935
• https://security-tracker.debian.org/tracker/CVE-2025-14936

[DennisHeimbigner]

We need some help. How do we determine exactly where in our code the bug is located?

[sebastic]

Fady Osman (@fadyosman) of ZDI is credited with finding the issues, he likely has reproducers or fuzzer results.

[WardF]

These are issues that crop up from other static analysis sources as well. PR's are welcome, otherwise we will address them as quickly as we are able to, but there will not be a release cut just to address these, unfortunately. With luck we'll be able to have fixes in with the upcoming 4.10.0 release. PR's welcome :).

[krisfed]

Looking at the ZDI links for these, seems like they were "reported to the vendor" back in June (although I don't see github issues for them, perhaps it was by email).

If there is any additional information about the impact of these CVEs that can be safely shared, that would be very useful for accessing the downstream risk! For example, I suspect CVE-2025-14932 might only be affecting ncdump code.. And I would guess that the rest are likely only relevant to one specific file type. Is any information like that already known (e.g. was part of the original report) and can be shared?

[fadyosman]

Hi Everyone,

Apologies for the delayed response, the following are the PoCs along with a crash report.

https://huggingface.co/datasets/fadyosman/cl22-v1h_get_NC_var-heap-overflow/tree/main
https://huggingface.co/datasets/fadyosman/cl20-attrubute-name-stack-buffer-overflow/tree/main
https://huggingface.co/datasets/fadyosman/cl14-get_timeinfo-stack-buffer-overflow/tree/main
https://huggingface.co/datasets/fadyosman/cl11-v1h_get_NC_var-heap-over-flow/tree/main
https://huggingface.co/datasets/fadyosman/netcdf-cl8-var-name-stackoverflow/tree/main
https://huggingface.co/datasets/fadyosman/netcdf-cl7-H5Tget_native_type-heapoverflow/tree/main
https://huggingface.co/datasets/fadyosman/netcdf-cl4-dim-name-heap-overflow/tree/main

Please note that the PoCs are more than 5 since some crashes were not reproducible by ZDI and hence were not accepted.

From basic analysis, the fix should be simple, the functions use the size provided in the file without checks for copying, either a check should be added or the buffer size should be used when copying the data to avoid the overflows.