HDF5 - how about removing gif2h5 subject to several CVE?

To: Debian Science List <debian-science@lists.debian.org>
Subject: HDF5 - how about removing gif2h5 subject to several CVE?
From: Gilles Filippini <pini@debian.org>
Date: Sat, 25 Feb 2023 22:37:58 +0100
Message-id: <[🔎] 4bd22588-3ec9-3c51-349f-0e1d2c4f0118@debian.org>

Hi debian-science,

Three CVE were recently reported [1] against gif2h5. When I asked theHDF group about these CVE I had this answer:

> Those appear to be flaws in a small, poorly-written, command-linetool (gif2h5) and not the HDF5 library itself. This is only a concern ifyou have built a service that uses the tool. I am very surprised thatthose CVE issues were given high scores given how rarely the tool isused in a production environment.

> I have no fix ETA since my plan is to move the tool to a separaterepository. Valgrind has always complained about that tool and the codedoesn't seem worth fixing.

> You can avoid the issue entirely by not deploying or exposing thegif2h5 tool. This can be done at configure time via the--disable-hltools configure option (in CMake, set HDF5_BUILD_HL_TOOLS toOFF) which will disable building the high-level tools.


What do you think about removing gif2h5 from the hdf5-tools package?

And would it be OK to fix HDF5 in stable and oldstable this way?

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031726

Thanks in advance,
_g.

Reply to:

Prev by Date: Bug#1031523: ITP: iqmol -- molecular builder and visualization package
Previous by thread: Bug#1031523: ITP: iqmol -- molecular builder and visualization package
Index(es):
- Date
- Thread