[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

HDF5 - how about removing gif2h5 subject to several CVE?



Hi debian-science,

Three CVE were recently reported [1] against gif2h5. When I asked the HDF group about these CVE I had this answer:

> Those appear to be flaws in a small, poorly-written, command-line tool (gif2h5) and not the HDF5 library itself. This is only a concern if you have built a service that uses the tool. I am very surprised that those CVE issues were given high scores given how rarely the tool is used in a production environment.
>
> I have no fix ETA since my plan is to move the tool to a separate repository. Valgrind has always complained about that tool and the code doesn't seem worth fixing.
>
> You can avoid the issue entirely by not deploying or exposing the gif2h5 tool. This can be done at configure time via the --disable-hltools configure option (in CMake, set HDF5_BUILD_HL_TOOLS to OFF) which will disable building the high-level tools.

What do you think about removing gif2h5 from the hdf5-tools package?

And would it be OK to fix HDF5 in stable and oldstable this way?

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031726

Thanks in advance,
_g.


Reply to: