Skip to content

Fix CVE-2025-2153 #5795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Oct 9, 2025
Merged

Fix CVE-2025-2153 #5795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
4be883f
Add release text
Sep 8, 2025
0ed7ab1
Merge branch 'develop' into issue5329
lrknox Sep 16, 2025
a7ea70f
Add change to release note
Sep 16, 2025
fe9daa0
Merge branch 'issue5329' of https://github.com/glennsong09/hdf5 into …
Sep 16, 2025
1bd996b
Move fix to H5O__chunk_deserialize
Sep 25, 2025
635f534
Committing clang-format changes
github-actions[bot] Sep 25, 2025
f16ccea
Fix merge conflict in release_archive.txt
Sep 25, 2025
70ea745
Fix merge conflict
Sep 25, 2025
4f76ac0
Add change to release note
Sep 16, 2025
6e41069
Move fix to H5O__chunk_deserialize
Sep 25, 2025
8b2b82e
Fix release_docs
Sep 25, 2025
1a6214c
Remove duplicate entry
Sep 25, 2025
5c502e4
Add github issue number to changelog entry
Sep 25, 2025
e4906f7
Committing clang-format changes
github-actions[bot] Sep 25, 2025
2b39e46
Make small changes for Neil
Oct 3, 2025
b3fe959
Remove trailing whitespace
Oct 3, 2025
6b4f002
Fix typo
Oct 6, 2025
eaa1ee6
Add back line
Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions release_docs/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,12 @@ Simple example programs showing how to use complex number datatypes have been ad

## Library

### Fixed security issue CVE-2025-2153

The message flags field could be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. An assert has been added in H5O__msg_write_real to make sure messages that are not sharable can't be modified to shared. Additionally, the check in H5O__chunk_deserialize that catches unsharable messages being marked as sharable has been improved.

Fixes GitHub issue #5329

### Fixed security issue CVE-2025-6857

An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks.
Expand Down
4 changes: 2 additions & 2 deletions src/H5Ocache.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1403,8 +1403,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
else {
/* Check for message of unshareable class marked as "shareable"
*/
if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] &&
!(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) &&
H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL,
"message of unshareable class flagged as shareable");

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't mean to delete the line, just the blank spaces in it

Expand Down
3 changes: 3 additions & 0 deletions src/H5Omessage.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,9 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m
*/
assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE));

/* Sanity check to see if the type is not sharable */
assert(type->share_flags & H5O_SHARE_IS_SHARABLE);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it also be worth switching the assert statements above into real error checks?

/* Remove the old message from the SOHM index */
/* (It would be more efficient to try to share the message first, then
* delete it (avoiding thrashing the index in the case the ref.
Expand Down
Loading