#1103541 hdf5: CVE-2025-2309

Package:
src:hdf5
Source:
src:hdf5
Submitter:
Salvatore Bonaccorso
Date:
2025-04-18 19:45:04 UTC
Severity:
normal
Tags:
#1103541#5
Date:
2025-04-18 19:43:08 UTC
From:
To:
Hi,

The following vulnerability was published for hdf5.

CVE-2025-2309[0]:
| A vulnerability has been found in HDF5 1.14.6 and classified as
| critical. This vulnerability affects the function H5T__bit_copy of
| the component Type Conversion Logic. The manipulation leads to heap-
| based buffer overflow. Local access is required to approach this
| attack. The exploit has been disclosed to the public and may be
| used. The real existence of this vulnerability is still doubted at
| the moment. The vendor was contacted early about a batch of
| vulnerabilities. His response was "reject" without further
| explanation. We have not received an elaboration even after asking
| politely for further details. Currently we assume that the vendor
| wants to "dispute" the entries which is why they are flagged as such
| until further details become available.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-2309
https://www.cve.org/CVERecord?id=CVE-2025-2309

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore