Re: HDF5 - how about removing gif2h5 subject to several CVE?
Hi Gilles,
since nobody responded to your question (I did not respond as well since
none of my packages uses this tool) here some opinion from me: No
contradiction means agreement - thus just go for it.
Thanks a lot for caring for hdf5 libraries
Andreas.
Am Sat, Feb 25, 2023 at 10:37:58PM +0100 schrieb Gilles Filippini:
> Hi debian-science,
>
> Three CVE were recently reported [1] against gif2h5. When I asked the HDF
> group about these CVE I had this answer:
>
> > Those appear to be flaws in a small, poorly-written, command-line tool
> (gif2h5) and not the HDF5 library itself. This is only a concern if you have
> built a service that uses the tool. I am very surprised that those CVE
> issues were given high scores given how rarely the tool is used in a
> production environment.
> >
> > I have no fix ETA since my plan is to move the tool to a separate
> repository. Valgrind has always complained about that tool and the code
> doesn't seem worth fixing.
> >
> > You can avoid the issue entirely by not deploying or exposing the gif2h5
> tool. This can be done at configure time via the --disable-hltools configure
> option (in CMake, set HDF5_BUILD_HL_TOOLS to OFF) which will disable
> building the high-level tools.
>
> What do you think about removing gif2h5 from the hdf5-tools package?
>
> And would it be OK to fix HDF5 in stable and oldstable this way?
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031726
>
> Thanks in advance,
> _g.
>
>
--
http://fam-tille.de
Reply to: