[Medium] Patch hdf5 for CVE-2025-2153, CVE-2025-2310, CVE-2025-2914, CVE-2025-2926, CVE-2025-6816, CVE-2025-2925, CVE-2025-2924, CVE-2025-44905,CVE-2025-6269, CVE-2025-6750, CVE-2025-6857, CVE-2025-7067, CVE-2025-7068, CVE-2025-6858 (#15297)

Author: jykanase

SPECS/hdf5/CVE-2025-2153.patch

@@ -0,0 +1,43 @@
+From 4be883f34d8906bd907dcf0ddb17d47dad5357d3 Mon Sep 17 00:00:00 2001
+From: Glenn Song <gsong@hdfgroup.org>
+Date: Mon, 8 Sep 2025 17:06:52 -0500
+Subject: [PATCH 01/14] Add release text
+
+Upstream patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5795.patch
+---
+ src/H5Ocache.c   | 4 ++--
+ src/H5Omessage.c | 3 +++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
+index 87f321c..12c30cf 100644
+--- a/src/H5Ocache.c
++++ b/src/H5Ocache.c
+@@ -1399,8 +1399,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+             else {
+                 /* Check for message of unshareable class marked as "shareable"
+                  */
+-                if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] &&
+-                    !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
++                if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) &&
++                    H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
+                     HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL,
+                                 "message of unshareable class flagged as shareable");
+ 
+diff --git a/src/H5Omessage.c b/src/H5Omessage.c
+index 7190e46..fb9006c 100644
+--- a/src/H5Omessage.c
++++ b/src/H5Omessage.c
+@@ -354,6 +354,9 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m
+          */
+         assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE));
+ 
++        /* Sanity check to see if the type is not sharable */
++        assert(type->share_flags & H5O_SHARE_IS_SHARABLE);
++
+         /* Remove the old message from the SOHM index */
+         /* (It would be more efficient to try to share the message first, then
+          *      delete it (avoiding thrashing the index in the case the ref.
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2310.patch

@@ -0,0 +1,37 @@
+From 2af87ef880bf562f1607aa7b6559e5c596cc0233 Mon Sep 17 00:00:00 2001
+From: Matthew Larson <matthewjlar@gmail.com>
+Date: Wed, 24 Sep 2025 15:26:20 -0500
+Subject: [PATCH 1/4] Add null-termination check during attr decode
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5872.patch
+---
+ src/H5Oattr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hdf5-1.14.6/src/H5Oattr.c b/hdf5-1.14.6/src/H5Oattr.c
+index 6d1d237..7bdaef7 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
+     if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, name_len); /* Including null */
++
++    /* Verify that retrieved name length (including null byte) is valid */
++    if (name_len <= 1)
++        HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid");
++
+     if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     UINT16DECODE(p, attr->shared->dt_size);
+@@ -190,6 +195,7 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
+      */
+     if (H5_IS_BUFFER_OVERFLOW(p, name_len, p_end))
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
++   
+     if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1)))
+         HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed");
+ 
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2914.patch

@@ -0,0 +1,47 @@
+From 54f404b5ad8e63d99e3283646b543b2842a22fd3 Mon Sep 17 00:00:00 2001
+From: Binh-Minh <bmribler@hdfgroup.org>
+Date: Tue, 12 Aug 2025 20:06:42 -0400
+Subject: [PATCH] Refix of the attempts in PR-5209
+
+This PR addresses the root cause of the issue by adding a sanity-check immediately
+after reading the file space page size from the file.
+
+The same fuzzer in GH-5376 was used to verify that the assert before the vulnerability
+had occurred and that an error indicating a corrupted file space page size replaced it.
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5722.patch
+---
+ src/H5Fsuper.c  | 2 ++
+ src/H5Ofsinfo.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
+index d9fe3a7..1c8dc6c 100644
+--- a/src/H5Fsuper.c
++++ b/src/H5Fsuper.c
+@@ -746,6 +746,8 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read)
+             if (!(flags & H5O_MSG_FLAG_WAS_UNKNOWN)) {
+                 H5O_fsinfo_t fsinfo; /* File space info message from superblock extension */
+ 
++                memset(&fsinfo, 0, sizeof(H5O_fsinfo_t));
++
+                 /* f->shared->null_fsm_addr: Whether to drop free-space to the floor */
+                 /* The h5clear tool uses this property to tell the library
+                  * to drop free-space to the floor
+diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c
+index 5b69235..2bb6ea6 100644
+--- a/src/H5Ofsinfo.c
++++ b/src/H5Ofsinfo.c
+@@ -182,6 +182,9 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
+         if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+         H5F_DECODE_LENGTH(f, p, fsinfo->page_size); /* File space page size */
++        /* Basic sanity check */
++        if (fsinfo->page_size == 0 || fsinfo->page_size > H5F_FILE_SPACE_PAGE_SIZE_MAX)
++            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid page size in file space info");
+ 
+         if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2924.patch

@@ -0,0 +1,36 @@
+From 422035e1c0a30f3b363a3994e62ac46f92db9b75 Mon Sep 17 00:00:00 2001
+From: Glenn Song <gsong@hdfgroup.org>
+Date: Thu, 11 Sep 2025 16:24:33 -0500
+Subject: [PATCH 1/4] Add to sanity check
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5814.patch
+---
+ src/H5HLcache.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index d0836fe..7f412d2 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -225,6 +225,7 @@ H5HL__fl_deserialize(H5HL_t *heap)
+     /* check arguments */
+     assert(heap);
+     assert(!heap->freelist);
++    HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
+ 
+     /* Build free list */
+     free_block = heap->free_block;
+@@ -232,6 +233,10 @@ H5HL__fl_deserialize(H5HL_t *heap)
+         const uint8_t *image; /* Pointer into image buffer */
+ 
+         /* Sanity check */
++
++        if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
++            HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
++
+         if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
+             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
+ 
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2925.patch

@@ -0,0 +1,43 @@
+From c731305ad3717924a9f48d4e4929956e80ce2cb3 Mon Sep 17 00:00:00 2001
+From: Glenn Song <gsong@hdfgroup.org>
+Date: Thu, 21 Aug 2025 11:36:23 -0500
+Subject: [PATCH 01/10] Fix issue5383
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5739.patch
+---
+ src/H5Centry.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/H5Centry.c b/src/H5Centry.c
+index 1ca7479..aedcad8 100644
+--- a/src/H5Centry.c
++++ b/src/H5Centry.c
+@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f,
+          */
+         do {
+             if (actual_len != len) {
++	         /* Verify that the length isn't a bad value  */
++                if (len == 0)
++		    HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value");
++
+                 if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE)))
+                     HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                 image = (uint8_t *)new_image;
++
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                 H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif        /* H5C_DO_MEMORY_SANITY_CHECKS */
+@@ -1104,6 +1109,10 @@ H5C__load_entry(H5F_t *f,
+                     if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0)
+                         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA");
+ 
++                    /* Verify that the length isn't 0  */
++                    if (actual_len == 0)
++                        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");
++
+                     /* Expand buffer to new size */
+                     if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE)))
+                         HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-2926.patch

@@ -0,0 +1,31 @@
+From b36c123a68f9f67f5a6de07fcd9caaf8586289c8 Mon Sep 17 00:00:00 2001
+From: Binh-Minh <bmribler@hdfgroup.org>
+Date: Tue, 16 Sep 2025 11:57:03 -0400
+Subject: [PATCH 1/7] Fix CVE-2025-2926, CVE-2025-2913
+
+An image size was corrupted and decoded as 0 resulting in a NULL image buffer,
+which caused a NULL pointer dereference when the image being copied to the buffer.
+The invalid image size was caught in the PR #5710.  This change catches right
+before the copying.
+
+Fixes GH issue #5384
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5841.patch
+---
+ src/H5Ocache.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
+index 12c30cf..4337d6e 100644
+--- a/src/H5Ocache.c
++++ b/src/H5Ocache.c
+@@ -602,6 +602,7 @@ H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len)
+     assert(udata);
+     assert(udata->oh);
+     assert(image_len);
++    assert(udata->size);
+ 
+     /* Set the image length size */
+     *image_len = udata->size;
+-- 
+2.45.4
+

SPECS/hdf5/CVE-2025-44905.patch

@@ -0,0 +1,38 @@
+From 28ab45329218d9e41bd77929fd3e9cd8a80bd3c7 Mon Sep 17 00:00:00 2001
+From: Christian Wojek <christian.wojek@web.de>
+Date: Sat, 11 Oct 2025 12:43:06 +0200
+Subject: [PATCH 1/5] Fixing CVE-2025-44905. A malformed HDF5 can cause reading
+ beyond a heap allocation.
+
+Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5915.patch
+---
+ src/H5Zscaleoffset.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
+index 048344b..fbf12d6 100644
+--- a/src/H5Zscaleoffset.c
++++ b/src/H5Zscaleoffset.c
+@@ -1205,6 +1205,9 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         unsigned           minval_size  = 0;
+ 
+         minbits = 0;
++        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char *)*buf + *buf_size - 1))
++            HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
++
+         for (i = 0; i < 4; i++) {
+             minbits_mask = ((unsigned char *)*buf)[i];
+             minbits_mask <<= i * 8;
+@@ -1220,6 +1223,9 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long)
+                                                                                : ((unsigned char *)*buf)[4];
+         minval      = 0;
++        if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size,
++                                  (unsigned char *)*buf + *buf_size - 1))
++            HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
+         for (i = 0; i < minval_size; i++) {
+             minval_mask = ((unsigned char *)*buf)[5 + i];
+             minval_mask <<= i * 8;
+-- 
+2.45.4
+