HDF5 - how about removing gif2h5 subject to several CVE?
Hi debian-science,
Three CVE were recently reported [1] against gif2h5. When I asked the
HDF group about these CVE I had this answer:
> Those appear to be flaws in a small, poorly-written, command-line
tool (gif2h5) and not the HDF5 library itself. This is only a concern if
you have built a service that uses the tool. I am very surprised that
those CVE issues were given high scores given how rarely the tool is
used in a production environment.
>
> I have no fix ETA since my plan is to move the tool to a separate
repository. Valgrind has always complained about that tool and the code
doesn't seem worth fixing.
>
> You can avoid the issue entirely by not deploying or exposing the
gif2h5 tool. This can be done at configure time via the
--disable-hltools configure option (in CMake, set HDF5_BUILD_HL_TOOLS to
OFF) which will disable building the high-level tools.
What do you think about removing gif2h5 from the hdf5-tools package?
And would it be OK to fix HDF5 in stable and oldstable this way?
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031726
Thanks in advance,
_g.
Reply to: