[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Avice about the importance of heap overflow in hdf5

Hi fellow LTS maintainers

During triaging of hdf5 I have checked four CVEs.
  - CVE-2016-4330  https://security-tracker.debian.org/tracker/CVE-2016-4330
  - CVE-2016-4331  https://security-tracker.debian.org/tracker/CVE-2016-4331
  - CVE-2016-4332  https://security-tracker.debian.org/tracker/CVE-2016-4332
  - CVE-2016-4333  https://security-tracker.debian.org/tracker/CVE-2016-4333

All of them are related to heap overflow that "can potentially cause arbitrary code exection".
This is a security problem, but the question is how important it is.

The crash is a DoS problem, but my guess that from that perspective the worst thing that will happen is that the person opening the file will be a little upset and blame the person sending the file.

However this can also potentially cause a arbitrary code execution problem and that is definitely worse. Someone could execute something as some other user on a system where it should not be run.

I do however think that this is less of an issue as files are not loaded automatically (my assumption), but rather by a person who get a file from a hopefully rather trusted source.

Also I have in other discussions got the impression that gcc nowadays have some kind of heap protection that prevent overwrite of data causing arbitrary code execution. I may be wrong however.

All in all I'm leaning towards marking these as no-dsa, but I would like your advice before doing so.

Best regards

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: