#1103540 hdf5: CVE-2025-2310

Package:
src:hdf5
Source:
src:hdf5
Submitter:
Salvatore Bonaccorso
Date:
2025-04-18 19:45:03 UTC
Severity:
normal
Tags:
#1103540#5
Date:
2025-04-18 19:42:33 UTC
From:
To:
Hi,

The following vulnerability was published for hdf5.

CVE-2025-2310[0]:
| A vulnerability was found in HDF5 1.14.6 and classified as critical.
| This issue affects the function H5MM_strndup of the component
| Metadata Attribute Decoder. The manipulation leads to heap-based
| buffer overflow. Attacking locally is a requirement. The exploit has
| been disclosed to the public and may be used. The real existence of
| this vulnerability is still doubted at the moment. The vendor was
| contacted early about a batch of vulnerabilities. His response was
| "reject" without further explanation. We have not received an
| elaboration even after asking politely for further details.
| Currently we assume that the vendor wants to "dispute" the entries
| which is why they are flagged as such until further details become
| available.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-2310
https://www.cve.org/CVERecord?id=CVE-2025-2310

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore