Skip to content

Upgrade hdf5 version to 1.14.6 and patch hdf5 for CVE-2025-2153, CVE-2025-2310, CVE-2025-2914, CVE-2025-2926, CVE-2025-2915, CVE-2025-6816, CVE-2025-2925, CVE-2025-2924, CVE-2025-44905,CVE-2025-6269, CVE-2025-6750, CVE-2025-6857, CVE-2025-7067, CVE-2025-7068, CVE-2025-6858, CVE_2025-2923, CVE-2025-2913, CVE-2025-6516, CVE-2025-6818, CVE-2025-6817, CVE-2025-6856, CVE-2025-7069 #15115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: 3.0-dev
Choose a base branch
from
Open

Upgrade hdf5 version to 1.14.6 and patch hdf5 for CVE-2025-2153, CVE-2025-2310, CVE-2025-2914, CVE-2025-2926, CVE-2025-2915, CVE-2025-6816, CVE-2025-2925, CVE-2025-2924, CVE-2025-44905,CVE-2025-6269, CVE-2025-6750, CVE-2025-6857, CVE-2025-7067, CVE-2025-7068, CVE-2025-6858, CVE_2025-2923, CVE-2025-2913, CVE-2025-6516, CVE-2025-6818, CVE-2025-6817, CVE-2025-6856, CVE-2025-7069 #15115

wants to merge 8 commits into from

Conversation

@jykanase
Copy link
Contributor

@jykanase jykanase commented Nov 18, 2025
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Upgrade hdf5 version to 1.14.6 and patch hdf5 for CVE-2025-2153, CVE-2025-2310, CVE-2025-2914, CVE-2025-2926, CVE-2025-2915, CVE-2025-6816, CVE-2025-2925, CVE-2025-2924, CVE-2025-44905,CVE-2025-6269, CVE-2025-6750, CVE-2025-6857, CVE-2025-7067, CVE-2025-7068, CVE-2025-6858, CVE_2025-2923, CVE-2025-2913, CVE-2025-6516, CVE-2025-6818, CVE-2025-6817, CVE-2025-6856, CVE-2025-7069

CVE-2025-2153: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5795.patch
CVE-2025-2310: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5872.patch
CVE-2025-2914: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5722.patch
CVE-2025-2915: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5746.patch
CVE-2025-2924: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5814.patch
CVE-2025-2925: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5739.patch
CVE-2025-2926: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5841.patch
CVE-2025-44905: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5915.patch
CVE-2025-6269: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5850.patch
CVE-2025-6750: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5856.patch
CVE-2025-6816, CVE-2025-6856, CVE-2025-2923, CVE-2025-6818: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5829.patch
CVE-2025-6857: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5799.patch
CVE-2025-6858: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5710.patch
CVE-2025-7067: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5815.patch
https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5938.patch
CVE-2025-7068: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5817.patch

Change Log
  • hdf5.spec
  • hdf5.signatures.json
Does this affect the toolchain?

YES/NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Pipeline build id: xxxx

@jykanase jykanase requested a review from a team as a code owner November 18, 2025 11:52
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Nov 18, 2025
@Kanishk-Bansal
Copy link
Contributor

Kanishk-Bansal commented Nov 18, 2025
edited
Loading

Source Publish

@Kanishk-Bansal
Copy link
Contributor

Kanishk-Bansal commented Nov 19, 2025

Build

@akhila-guruju
Copy link
Contributor

akhila-guruju commented Nov 19, 2025
edited
Loading

No significant code changes have been identified. All patches align with the upstream patches. Only minor adjustments, such as correcting indentation or removing redundant comment, may be necessary.

CVE-2025-2153:
patching for this file is missing release_docs/CHANGELOG.md. Justifiable because file is not available in v1.14.6 tarball
Rest all changes are matching.

SPECS/hdf5/CVE-2025-2310:
PR: HDFGroup/hdf5#5872
same as upstream patch

CVE-2025-2914
PR: HDFGroup/hdf5#5722
same as upstream patch

CVE-2025-2915
PR: HDFGroup/hdf5#5746
no release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball
in L#24, nit: indentation for new_accum_size = accum->size - overlap_size;
Rest all changes are matching with upstream patch

CVE-2025-2924
PR: HDFGroup/hdf5#5814
no release_docs/RELEASE.txt - Not sure if this change is imp or not. file is available in v1.14.6 tarball
Rest all changes are matching with upstream patch

CVE-2025-2925
PR: HDFGroup/hdf5#5739
no file release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball
L39, nit: indentation for /* Expand buffer to new size */

CVE-2025-2926.patch and CVE-2025-2913
PR: HDFGroup/hdf5#5841
no patching for release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball

CVE-2025-44905
PR: HDFGroup/hdf5#5915
same as upstream patch

CVE-2025-6269
PR: HDFGroup/hdf5#5850
no patching for release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball
in L33, H5C__decode_cache_image_header was backported. (new arg was added from upstream, that was used in patch)
in L52, status = H5C__decode_cache_image_header was backported
in L61, H5C__decode_cache_image_header was backported
above 3 changes are required because, upstream patch uses this func with one more additional arg in L81 H5C__decode_cache_image_header(f, cache_ptr, &p, image_len + 1)
L235 is redundant. Should be removed as per the upstream patch.
Rest all changes are matching with upstream.

CVE-2025-6750
PR: HDFGroup/hdf5#5856
no patching for release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball
L28, nit: indentation for /* Message flags */
Rest all changes are matching with upstream patch

CVE-2025-6816.patch and CVE-2025-6856, CVE-2025-2923, CVE-2025-6818
PR: HDFGroup/hdf5#5829
issue: HDFGroup/hdf5#5571
no patching for release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball
L40, nit: indentation for /* Bring the chunk into the cache */
L51, nit: indentation for chunkno = chk_proxy->chunkno;
L65, nit: indentation for /* Advance to next continuation message */
Rest all same as upstream patch

CVE-2025-6857
PR: HDFGroup/hdf5#5799
no patching for release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball
L87, nit: indentation for /* Sanity check to
Extra file src/H5Bpkg.h was also patched because in L21 & L45, new args added in patch int exp_level and H5B_UNKNOWN_NODELEVEL which were not present in our source code. So backporting these in src/H5Bpkg.h is justifiable
2nd hunk (@@ -255,26 +257,67 @@) in file src/H5B.c is already formatted in v1.14.6 tarball. So, this hunk won't be present in this patch.

CVE-2025-6858
PR: HDFGroup/hdf5#5710
issue: HDFGroup/hdf5#5576
same as upstream patch

CVE-2025-7067
PR: HDFGroup/hdf5#5815 and HDFGroup/hdf5#5938
same as upstream patch

CVE-2025-7068
PR: HDFGroup/hdf5#5937
no patching for release_docs/CHANGELOG.md - Justifiable because file is not available in v1.14.6 tarball
same as upstream patch

mayankfz
mayankfz reviewed Nov 19, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2153.patch

Upstream patch Reference: https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5795.patch
---
src/H5Ocache.c | 4 ++--
Copy link
Contributor

@mayankfz mayankfz Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patch looks fine

mayankfz
mayankfz reviewed Nov 19, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2310.patch Outdated
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
- if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1)))
+
+ if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1)))
Copy link
Contributor

@mayankfz mayankfz Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is not required

mayankfz
mayankfz reviewed Nov 19, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2914.patch
---
src/H5Fsuper.c | 2 ++
src/H5Ofsinfo.c | 3 +++
2 files changed, 5 insertions(+)
Copy link
Contributor

@mayankfz mayankfz Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine

mayankfz
mayankfz reviewed Nov 19, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2915.patch Outdated
+ /* Sanity check */
+ /* Overlap size should not result in "negative" value after subtraction */
+ assert(overlap_size < accum->size);
+ new_accum_size = accum->size - overlap_size;
Copy link
Contributor

@mayankfz mayankfz Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rest looks fine. Indentation

mayankfz
mayankfz reviewed Nov 19, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2924.patch
@@ -0,0 +1,36 @@
From 422035e1c0a30f3b363a3994e62ac46f92db9b75 Mon Sep 17 00:00:00 2001
From: Glenn Song <[email protected]>
Copy link
Contributor

@mayankfz mayankfz Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine

mayankfz
mayankfz reviewed Nov 19, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-7068.patch
static herr_t H5C__unpin_entry_from_client(H5C_t *cache_ptr, H5C_cache_entry_t *entry_ptr, bool update_rp);
static herr_t H5C__generate_image(H5F_t *f, H5C_t *cache_ptr, H5C_cache_entry_t *entry_ptr);
+static herr_t H5C__discard_single_entry(H5F_t *f, H5C_t *cache_ptr, H5C_cache_entry_t *entry_ptr,
+ bool destroy_entry, bool free_file_space,
Copy link
Contributor

@mayankfz mayankfz Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation

mayankfz
mayankfz reviewed Nov 19, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-7068.patch
#ifdef H5_HAVE_PARALLEL
@@ -753,118 +756,13 @@ H5C__flush_single_entry(H5F_t *f, H5C_cache_entry_t *entry_ptr, unsigned flags)
* Now discard the entry if appropriate.
*/
Copy link
Contributor

@mayankfz mayankfz Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rest looks fine

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-7067.patch

memset(&state, 0, sizeof(H5FS_stat_t));
@@ -4334,7 +4334,7 @@ test_mf_align_fs(const char *driver_name, hid_t fapl, hid_t new_fapl)
sect_node = H5MF__sect_new(H5MF_FSPACE_SECT_SIMPLE, (haddr_t)TBLOCK_ADDR70, (hsize_t)TBLOCK_SIZE700);
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6858.patch
--- a/src/H5Ocont.c
+++ b/src/H5Ocont.c
@@ -104,6 +104,9 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6857.patch Outdated

if (bt->level > 0) {
- if ((ret_value = H5B_find(f, type, bt->child[idx], found, udata)) < 0)
+ /* Sanity check to catch the case where the current node points to
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6857.patch Outdated
Add additional checks for v1 B-tree corruption
Upstream Patch Reference :https://patch-diff.githubusercontent.com/raw/HDFGroup/hdf5/pull/5799.patch
---
src/H5B.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++--
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6816.patch Outdated
- size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */
-#endif /* NDEBUG */
-
- /* Bring the chunk into the cache */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not part of the patch, causing indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6816.patch Outdated
- assert(chk_proxy->chunkno == chkcnt);
- assert(oh->nchunks == (chkcnt + 1));
+
+ chunkno = chk_proxy->chunkno;
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please fix indentation at all the places

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6816.patch Outdated
H5AC__NO_FLAGS_SET) < 0)
HGOTO_ERROR(H5E_OHDR, H5E_CANTUNPROTECT, NULL, "unable to release object header chunk");

- /* Advance to next continuation message */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not part of the patch

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6816.patch Outdated

- /* Advance to next continuation message */
+ if (chunkno != chkcnt)
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "incorrect chunk number for object header chunk");
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6816.patch Outdated
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL,
+ "incorrect number of chunks after deserializing object header chunk");
+
+ /* Advance to next continuation message */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6816.patch
From b6d4a76c7a9309eba6e70fde0e1ecf0dd09d3d23 Mon Sep 17 00:00:00 2001
From: Jordan Henderson <[email protected]>
Date: Mon, 15 Sep 2025 12:26:10 -0500
Subject: [PATCH] Fix issue with handling of corrupted object header
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rest looks fine

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6750.patch Outdated
if (mesg_size != H5O_ALIGN_OH(oh, mesg_size))
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned");

- /* Message flags */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not part of the patch

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6750.patch Outdated
+ if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end))
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end");
+
+ /* Message flags */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-6750.patch Outdated
HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount");
oh->nlink = *refcount;
}
+ /* Check if message is an old mtime message */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-44905.patch Outdated
unsigned minval_size = 0;

minbits = 0;
+ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char *)*buf + *buf_size - 1))
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-44905.patch Outdated
minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long)
: ((unsigned char *)*buf)[4];
minval = 0;
+ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size,
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here as well

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2926.patch
From b36c123a68f9f67f5a6de07fcd9caaf8586289c8 Mon Sep 17 00:00:00 2001
From: Binh-Minh <[email protected]>
Date: Tue, 16 Sep 2025 11:57:03 -0400
Subject: [PATCH 1/7] Fix CVE-2025-2926, CVE-2025-2913
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2925.patch Outdated
*/
do {
if (actual_len != len) {
+ /* Verify that the length isn't a bad value */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation

mayankfz
mayankfz reviewed Nov 20, 2025
View reviewed changes
SPECS/hdf5/CVE-2025-2925.patch Outdated
+ if (actual_len == 0)
+ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");
+
+ /* Expand buffer to new size */
Copy link
Contributor

@mayankfz mayankfz Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

@mayankfz
Copy link
Contributor

mayankfz commented Nov 24, 2025

Regarding Pipelines - Run PR-15115+hdf5+unknown artifacts I am seeing below test failure, even though overall test passes, was it failing earlier as well.
image

Had requested to check with the latest hdf5_2.0.0 and verify as they have all the CVE changes if these are not caused due to some issue with our patching. It seems that that failure would be there due to the changes made in the CVE patch.

@jykanase
Copy link
Contributor Author

jykanase commented Nov 24, 2025
edited
Loading

Regarding Pipelines - Run PR-15115+hdf5+unknown artifacts I am seeing below test failure, even though overall test passes, was it failing earlier as well. image

Had requested to check with the latest hdf5_2.0.0 and verify as they have all the CVE changes if these are not caused due to some issue with our patching. It seems that that failure would be there due to the changes made in the CVE patch.

I have tried building hdf5-2.0.0 source code locally, I found some test fails but still results show 100% test passed.
Followed below steps to build hdf5,

  1. mkdir build && cd build
  2. cmake [options]
  3. cmake --build .
  4. cmake --install .
Screenshot 2025-11-24 125822 Screenshot 2025-11-24 125401

@kgodara912
Disable overflow checks in H5O__mdci_decode
2a814d0 
Comment out overflow checks for address and size in H5O__mdci_decode function. These checks are causing many test failures. The CVE specifically asks for `HDF5__accum_free` function.
@kgodara912
Improve error handling in CVE-2025-6269.patch
447b80f 
Refactor error handling for parent and non-parent entries in CVE-2025-6269 patch.
@kgodara912
Uncomment Patch5 and update make check command
86a9f2c
@kgodara912
Copy link
Contributor

kgodara912 commented Nov 26, 2025
edited
Loading

The test failures were actually correct, but we were ignoring make return value in spec file hence it looked like the test was succeeded but they were failing actually with the patches. Removed two checks, the updated buddy build.

@mayankfz
Copy link
Contributor

mayankfz commented Nov 27, 2025

The test failures were actually correct, but we were ignoring make return value in spec file hence it looked like the test was succeeded but they were failing actually with the patches. Removed two checks, the updated buddy build.

So, we are little bit deviating from the upstream patch, since the function in question for CVE-2025-2915 is only H5F__accum_free(). And by commenting the changes in H5O__mdci_decode(), the tests are passing. In future it will be better if we are in sync with the upstream and hopefully, they will be fixing the test failures due to the code H5O__mdci_decode(). Thanks

@mayankfz
Copy link
Contributor

mayankfz commented Nov 27, 2025

Patch applies with modification

  • Buddy Build
  • patch applied during the build (check rpm.log)
  • patch include an upstream reference
  • PR has security tag
  • ptest regression
image

@mayankfz mayankfz added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Nov 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mayankfz mayankfz mayankfz approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jykanase @Kanishk-Bansal @akhila-guruju @mayankfz @kgodara912