[AutoPR- Security] Patch hdf5 for CVE-2025-7067, CVE-2025-44905, CVE-2025-2924, CVE-2025-2914, CVE-2025-2913 [MEDIUM]

SPECS/hdf5/CVE-2025-2913.patch

@@ -0,0 +1,34 @@
+From 5f977a44cd87b7dd7afa3fb610c84cf0b11fc8d5 Mon Sep 17 00:00:00 2001
+From: Binh-Minh <[email protected]>
+Date: Mon, 4 Aug 2025 03:10:29 -0400
+Subject: [PATCH] Fix reading bad size in the raw header continuation message
+
+This issue was reported in GH-5376 as a heap-use-after-free vulnerability in
+one of the free lists.  It appeared that the library came to this vulnerability
+after it encountered an undetected reading of a bad value.  The fuzzer now failed
+with an appropriate error message.
+
+This considers addressing what GH-5376 reported.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5710.patch
+---
+ src/H5Ocont.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/H5Ocont.c b/src/H5Ocont.c
+index 621095a..c03f4dd 100644
+--- a/src/H5Ocont.c
++++ b/src/H5Ocont.c
+@@ -100,6 +100,8 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
+     if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_DECODE_LENGTH(f, p, cont->size);
++    if (cont->size == 0)
++        HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid continuation chunk size (0)");
+
+     cont->chunkno = 0;
+
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2914.patch

@@ -0,0 +1,48 @@
+From 79bfbd8ab3b2dafdea47c727cad735b22c1144ce Mon Sep 17 00:00:00 2001
+From: Binh-Minh <[email protected]>
+Date: Tue, 12 Aug 2025 20:06:42 -0400
+Subject: [PATCH] Refix of the attempts in PR-5209
+
+This PR addresses the root cause of the issue by adding a sanity-check immediately
+after reading the file space page size from the file.
+
+The same fuzzer in GH-5376 was used to verify that the assert before the vulnerability
+had occurred and that an error indicating a corrupted file space page size replaced it.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5722.patch
+---
+ src/H5Fsuper.c  | 2 ++
+ src/H5Ofsinfo.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
+index 3e5bc9a..4de4c1f 100644
+--- a/src/H5Fsuper.c
++++ b/src/H5Fsuper.c
+@@ -756,6 +756,8 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read)
+             if (!(flags & H5O_MSG_FLAG_WAS_UNKNOWN)) {
+                 H5O_fsinfo_t fsinfo; /* File space info message from superblock extension */
+
++                memset(&fsinfo, 0, sizeof(H5O_fsinfo_t));
++
+                 /* f->shared->null_fsm_addr: Whether to drop free-space to the floor */
+                 /* The h5clear tool uses this property to tell the library
+                  * to drop free-space to the floor
+diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c
+index 5b69235..2bb6ea6 100644
+--- a/src/H5Ofsinfo.c
++++ b/src/H5Ofsinfo.c
+@@ -182,6 +182,9 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
+         if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+         H5F_DECODE_LENGTH(f, p, fsinfo->page_size); /* File space page size */
++        /* Basic sanity check */
++        if (fsinfo->page_size == 0 || fsinfo->page_size > H5F_FILE_SPACE_PAGE_SIZE_MAX)
++            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid page size in file space info");
+
+         if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2924.patch

@@ -0,0 +1,147 @@
+From abc0b16c2e39652ce297688446f7c380c3c4ee74 Mon Sep 17 00:00:00 2001
+From: Glenn Song <[email protected]>
+Date: Thu, 11 Sep 2025 16:24:33 -0500
+Subject: [PATCH 1/4] Add to sanity check
+
+---
+ src/H5HLcache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index d0836fe..dd66162 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -232,7 +232,7 @@ H5HL__fl_deserialize(H5HL_t *heap)
+         const uint8_t *image; /* Pointer into image buffer */
+
+         /* Sanity check */
+-        if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
++        if ((free_block > heap->dblk_size) || ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size))
+             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
+
+         /* Allocate & initialize free list node */
+-- 
+2.45.4
+
+
+From 738fe08756f8dd388b883e31ffe93905140360ce Mon Sep 17 00:00:00 2001
+From: Glenn Song <[email protected]>
+Date: Thu, 11 Sep 2025 18:47:22 -0500
+Subject: [PATCH 2/4] Add better check for overflow
+
+---
+ src/H5HLcache.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index dd66162..ed27e23 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -232,7 +232,12 @@ H5HL__fl_deserialize(H5HL_t *heap)
+         const uint8_t *image; /* Pointer into image buffer */
+
+         /* Sanity check */
+-        if ((free_block > heap->dblk_size) || ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size))
++        HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
++
++        if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
++            HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
++
++        if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
+             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
+
+         /* Allocate & initialize free list node */
+-- 
+2.45.4
+
+
+From 155a1ffba3e19d11bf4de43deb27f4dac0bb9644 Mon Sep 17 00:00:00 2001
+From: Glenn Song <[email protected]>
+Date: Thu, 11 Sep 2025 19:22:38 -0500
+Subject: [PATCH 3/4] Add release note
+
+---
+ release_docs/RELEASE.txt | 7 +++++++
+ src/H5HLcache.c          | 6 +++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
+index d94ed33..7e76a37 100644
+--- a/release_docs/RELEASE.txt
++++ b/release_docs/RELEASE.txt
+@@ -997,6 +997,13 @@ Bug Fixes since HDF5-1.14.3 release
+       The MPI-2 supporting artifacts have been removed due to the cessation
+       of MPI-2 maintenance and testing since version HDF5 1.12.
+
++    - Check for overflow in decoded heap block addresses
++
++      Currently, we do not check for overflow when decoding addresses from
++      the heap, which can cause overflow problems. We've added a check in 
++      H5HL__fl_deserialize to ensure no overflow can occur.
++
++      Fixes GitHub issue #5382
+
+     - Fixed a segfault when using a user-defined conversion function between compound datatypes
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index ed27e23..0e684cc 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -225,15 +225,15 @@ H5HL__fl_deserialize(H5HL_t *heap)
+     /* check arguments */
+     assert(heap);
+     assert(!heap->freelist);
+-
++    HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
++    
+     /* Build free list */
+     free_block = heap->free_block;
+     while (H5HL_FREE_NULL != free_block) {
+         const uint8_t *image; /* Pointer into image buffer */
+
+         /* Sanity check */
+-        HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
+-
++        
+         if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
+             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
+
+-- 
+2.45.4
+
+
+From dda4babedbcf26002d88fc5a62123d293f1358a2 Mon Sep 17 00:00:00 2001
+From: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
+Date: Fri, 12 Sep 2025 00:24:29 +0000
+Subject: [PATCH 4/4] Committing clang-format changes
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5814.patch
+---
+ src/H5HLcache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index 0e684cc..7f412d2 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -226,14 +226,14 @@ H5HL__fl_deserialize(H5HL_t *heap)
+     assert(heap);
+     assert(!heap->freelist);
+     HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
+-    
++
+     /* Build free list */
+     free_block = heap->free_block;
+     while (H5HL_FREE_NULL != free_block) {
+         const uint8_t *image; /* Pointer into image buffer */
+
+         /* Sanity check */
+-        
++
+         if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
+             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
+
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-44905.patch

@@ -0,0 +1,154 @@
+From f4cd98cfc5a8d9380b4e089326b8340a10b9769f Mon Sep 17 00:00:00 2001
+From: Christian Wojek <[email protected]>
+Date: Sat, 11 Oct 2025 12:43:06 +0200
+Subject: [PATCH 1/5] Fixing CVE-2025-44905. A malformed HDF5 can cause reading
+ beyond a heap allocation.
+
+---
+ src/H5Zscaleoffset.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
+index 048344b..ad118f3 100644
+--- a/src/H5Zscaleoffset.c
++++ b/src/H5Zscaleoffset.c
+@@ -1205,6 +1205,9 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         unsigned           minval_size  = 0;
+
+         minbits = 0;
++        if (*buf_size < 4)
++            HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
++
+         for (i = 0; i < 4; i++) {
+             minbits_mask = ((unsigned char *)*buf)[i];
+             minbits_mask <<= i * 8;
+-- 
+2.45.4
+
+
+From 186cef3aa5c7c5b0bd70f58a169a11443a7feb1f Mon Sep 17 00:00:00 2001
+From: Christian Wojek <[email protected]>
+Date: Sat, 11 Oct 2025 16:27:18 +0200
+Subject: [PATCH 2/5] Use H5_IS_BUFFER_OVERFLOW
+
+---
+ src/H5Zscaleoffset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
+index ad118f3..24b442a 100644
+--- a/src/H5Zscaleoffset.c
++++ b/src/H5Zscaleoffset.c
+@@ -1205,7 +1205,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         unsigned           minval_size  = 0;
+
+         minbits = 0;
+-        if (*buf_size < 4)
++        if (H5_IS_BUFFER_OVERFLOW(buf, 4, buf + *buf_size - 1))
+             HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
+
+         for (i = 0; i < 4; i++) {
+-- 
+2.45.4
+
+
+From c81220cbeeccd711adc384f9c89e20ee4862e866 Mon Sep 17 00:00:00 2001
+From: Christian Wojek <[email protected]>
+Date: Mon, 27 Oct 2025 22:01:08 +0100
+Subject: [PATCH 3/5] Revised fix after internal review
+
+---
+ src/H5Zscaleoffset.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
+index 24b442a..a397724 100644
+--- a/src/H5Zscaleoffset.c
++++ b/src/H5Zscaleoffset.c
+@@ -1205,7 +1205,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         unsigned           minval_size  = 0;
+
+         minbits = 0;
+-        if (H5_IS_BUFFER_OVERFLOW(buf, 4, buf + *buf_size - 1))
++        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char*)*buf + *buf_size - 1))
+             HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
+
+         for (i = 0; i < 4; i++) {
+@@ -1223,6 +1223,8 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long)
+                                                                                : ((unsigned char *)*buf)[4];
+         minval      = 0;
++        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size, (unsigned char*)*buf + *buf_size - 1))
++            HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
+         for (i = 0; i < minval_size; i++) {
+             minval_mask = ((unsigned char *)*buf)[5 + i];
+             minval_mask <<= i * 8;
+-- 
+2.45.4
+
+
+From 0a82add95ed0f1f8f60b1232f3c0f9ac7de672bb Mon Sep 17 00:00:00 2001
+From: Larry Knox <[email protected]>
+Date: Tue, 28 Oct 2025 22:27:01 -0500
+Subject: [PATCH 4/5] Apply suggestions from code review
+
+---
+ src/H5Zscaleoffset.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
+index a397724..42a9541 100644
+--- a/src/H5Zscaleoffset.c
++++ b/src/H5Zscaleoffset.c
+@@ -1205,7 +1205,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         unsigned           minval_size  = 0;
+
+         minbits = 0;
+-        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char*)*buf + *buf_size - 1))
++        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char *)*buf + *buf_size - 1))
+             HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
+
+         for (i = 0; i < 4; i++) {
+@@ -1223,7 +1223,8 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long)
+                                                                                : ((unsigned char *)*buf)[4];
+         minval      = 0;
+-        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size, (unsigned char*)*buf + *buf_size - 1))
++        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size,
++                                                        (unsigned char *)*buf + *buf_size - 1))
+             HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
+         for (i = 0; i < minval_size; i++) {
+             minval_mask = ((unsigned char *)*buf)[5 + i];
+-- 
+2.45.4
+
+
+From d8c235b9a696578ccd20a0ac23c8c6bedf79b37a Mon Sep 17 00:00:00 2001
+From: Larry Knox <[email protected]>
+Date: Tue, 28 Oct 2025 22:33:15 -0500
+Subject: [PATCH 5/5] Update src/H5Zscaleoffset.c
+
+Eliminate extra spaces
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5915.patch
+---
+ src/H5Zscaleoffset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
+index 42a9541..fbf12d6 100644
+--- a/src/H5Zscaleoffset.c
++++ b/src/H5Zscaleoffset.c
+@@ -1224,7 +1224,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+                                                                                : ((unsigned char *)*buf)[4];
+         minval      = 0;
+         if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size,
+-                                                        (unsigned char *)*buf + *buf_size - 1))
++                                  (unsigned char *)*buf + *buf_size - 1))
+             HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
+         for (i = 0; i < minval_size; i++) {
+             minval_mask = ((unsigned char *)*buf)[5 + i];
+-- 
+2.45.4
+