Skip to content

[AutoPR- Security] Patch hdf5 for CVE-2025-44904 [HIGH]#17981

Open
azurelinux-security wants to merge 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/hdf5/3.0/1156894
Open

[AutoPR- Security] Patch hdf5 for CVE-2025-44904 [HIGH]#17981
azurelinux-security wants to merge 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/hdf5/3.0/1156894

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 10, 2026

Copy link
Copy Markdown

Auto Patch hdf5 for CVE-2025-44904.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1156894&view=results

CVE-2025-44904 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1156895&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@BinduSri-6522866

Copy link
Copy Markdown

@azurelinux-security

Copy link
Copy Markdown
Author

🔒 CVE Patch Review: CVE-2025-44904

PR #17981 — [AutoPR- Security] Patch hdf5 for CVE-2025-44904 [HIGH]
Package: hdf5 | Branch: fasttrack/3.0


Spec File Validation

Check Status Detail
Release bump Release bumped 2 → 3
Patch entry Patch entries added: ['CVE-2025-44904.patch'] (covers ['CVE-2025-44904'])
Patch application %autosetup/%autopatch found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

  • Build status: ✅ PASSED
  • Artifact downloaded:
  • CVE applied during build:
  • Warnings (179):
    • L158: time="2026-07-10T14:28:53Z" level=debug msg="configure.ac:1364: warning: The macro 'AC_CHECK_CLASS' is obsolete."
    • L313: time="2026-07-10T14:28:58Z" level=debug msg="f951: Warning: Nonexistent include directory '/usr/lib/gfortran/modules' [-Wmissing-include-dirs]"
    • L996: time="2026-07-10T14:29:07Z" level=debug msg="../../src/H5Cimage.c:1273:94: warning: unused parameter 'buf_size' [-Wunused-parameter]"
    • L2584: time="2026-07-10T14:29:12Z" level=debug msg="../../test/cache_image.c:2751:1: warning: 'check_cache_image_ctl_flow_6' defined but not used [-Wunused-function]"
    • L2587: time="2026-07-10T14:29:12Z" level=debug msg="../../test/cache_image.c:2473:1: warning: 'check_cache_image_ctl_flow_5' defined but not used [-Wunused-function]"
    • L2590: time="2026-07-10T14:29:12Z" level=debug msg="../../test/cache_image.c:2147:1: warning: 'check_cache_image_ctl_flow_4' defined but not used [-Wunused-function]"
    • L2593: time="2026-07-10T14:29:12Z" level=debug msg="../../test/cache_image.c:1784:1: warning: 'check_cache_image_ctl_flow_3' defined but not used [-Wunused-function]"
    • L2596: time="2026-07-10T14:29:12Z" level=debug msg="../../test/cache_image.c:1523:1: warning: 'check_cache_image_ctl_flow_2' defined but not used [-Wunused-function]"
    • L2599: time="2026-07-10T14:29:12Z" level=debug msg="../../test/cache_image.c:1249:1: warning: 'check_cache_image_ctl_flow_1' defined but not used [-Wunused-function]"
    • L4030: time="2026-07-10T14:29:18Z" level=debug msg="../../../c++/src/H5Location.cpp:2001:46: warning: argument 1 range [9223372036854775809, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]"
    • … and 169 more

🤖 AI Build Log Analysis

  • Risk: medium
  • Summary: The hdf5 RPM build completed successfully and produced the main, devel, static, and debuginfo packages. The CVE patch set, including CVE-2025-44904.patch, appears to have been applied during %prep without any visible hunk failures, rejects, fuzz, or offset warnings. Compilation, linking, installation, packaging, and RPM generation all finished successfully, and tests were explicitly skipped via --nocheck / with_check 0.
  • AI-detected warnings:
    • Build tests were not run because the package was rebuilt with --nocheck and with_check 0, so there is no runtime validation of the CVE backport.
    • autoreconf emitted upstream build-system warnings, including an obsolete AC_CHECK_CLASS macro and a libtoolize suggestion about ACLOCAL_AMFLAGS; these did not fail the build but indicate aging autotools metadata.
    • find-debuginfo reported several cpio 'Cannot stat' messages for generated parser-related files under build/hl/src/hl/src; the build still completed, but this is unusual and worth a quick review to ensure debuginfo/source packaging is complete.
    • RPM emitted 'Could not canonicalize hostname' warnings inside the chroot; these are benign build-environment warnings and did not affect the package build.

🧪 Test Log Analysis

  • Test status: ✅ PASSED
  • Test warnings (179):
    • L162: time="2026-07-10T14:29:20Z" level=debug msg="configure.ac:1364: warning: The macro 'AC_CHECK_CLASS' is obsolete."
    • L317: time="2026-07-10T14:29:25Z" level=debug msg="f951: Warning: Nonexistent include directory '/usr/lib/gfortran/modules' [-Wmissing-include-dirs]"
    • L985: time="2026-07-10T14:29:34Z" level=debug msg="../../src/H5Cimage.c:1273:94: warning: unused parameter 'buf_size' [-Wunused-parameter]"
    • L2591: time="2026-07-10T14:29:37Z" level=debug msg="../../test/cache_image.c:2751:1: warning: 'check_cache_image_ctl_flow_6' defined but not used [-Wunused-function]"
    • L2594: time="2026-07-10T14:29:37Z" level=debug msg="../../test/cache_image.c:2473:1: warning: 'check_cache_image_ctl_flow_5' defined but not used [-Wunused-function]"
    • L2597: time="2026-07-10T14:29:37Z" level=debug msg="../../test/cache_image.c:2147:1: warning: 'check_cache_image_ctl_flow_4' defined but not used [-Wunused-function]"
    • L2600: time="2026-07-10T14:29:37Z" level=debug msg="../../test/cache_image.c:1784:1: warning: 'check_cache_image_ctl_flow_3' defined but not used [-Wunused-function]"
    • L2603: time="2026-07-10T14:29:37Z" level=debug msg="../../test/cache_image.c:1523:1: warning: 'check_cache_image_ctl_flow_2' defined but not used [-Wunused-function]"
    • L2606: time="2026-07-10T14:29:37Z" level=debug msg="../../test/cache_image.c:1249:1: warning: 'check_cache_image_ctl_flow_1' defined but not used [-Wunused-function]"
    • L4024: time="2026-07-10T14:29:44Z" level=debug msg="../../../c++/src/H5Location.cpp:2001:46: warning: argument 1 range [9223372036854775809, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]"
🤖 AI Test Log Analysis
  • Risk: low
  • Summary: The hdf5 test suite completed successfully for the CVE-2025-44904 patched build. The log shows the patch applied cleanly during %prep, the package built successfully, and %check finished with explicit exit status 0. Visible C++ high-level and Fortran high-level API tests all passed, with no reported failures, crashes, or skipped security-relevant tests in the provided log excerpt.

Patch Analysis

  • Match type: backport
  • Risk assessment: low
  • Summary: The PR patch is functionally equivalent to the upstream CVE fix in the core vulnerable code path in src/H5Dchunk.c, but it is not an exact match because it is packaged as a downstream patch file, omits the upstream changelog update, and is applied against an older codebase with minor context/type differences. The essential security logic is preserved: it records the chunk's on-disk size separately, validates unfiltered chunk size against the expected chunk_size, uses checked conversions, reads using the disk-reported size, and propagates the renamed size variable through cache entry initialization.
  • Missing hunks:
    • Upstream release_docs/CHANGELOG.md hunk documenting the CVE fix is omitted in the PR patch.
    • The upstream final checked assignment uses hsize_t for ent->rd_count, while the PR patch uses uint32_t in that context due to the older target tree; this is a pre-existing codebase difference rather than a missing security hunk.
Detailed analysis

The main security-relevant hunks in H5D__chunk_lock() are present and aligned with upstream intent. Specifically, the PR renames chunk_alloc to chunk_disk_size, preserves the saved chunk metadata, adds the new validation that rejects unfiltered chunks when the index-reported on-disk size differs from the inferred chunk_size, converts chunk_disk_size to size_t via H5_CHECKED_ASSIGN before allocation/use, allocates based on the disk size, reads exactly chunk_disk_size bytes from disk, passes chunk_nbytes through H5Z_pipeline for filtered chunks, and updates the cache entry length to chunk_disk_size. These are the core changes that prevent the buffer size mismatch leading to the overflow condition described in CVE-2025-44904. Differences versus upstream are mostly expected backport artifacts: the patch is stored under SPECS/hdf5/CVE-2025-44904.patch, includes downstream patch metadata, omits the release_docs/CHANGELOG.md documentation hunk, and applies at older line numbers / source indices. One notable source-level difference is that upstream split the declaration and initialization of the size_t variables into declarations plus H5_CHECKED_ASSIGN, while the older tree appears to have had direct initialization originally; the PR correctly adopts the safer checked-assignment pattern from upstream. Another difference is the final H5_CHECKED_ASSIGN target type for ent->rd_count: upstream shows hsize_t, while the PR uses uint32_t, which strongly suggests a structural difference in the older branch rather than a regression introduced by this patch. Because the security check and data-flow changes are intact, the backport appears complete for the vulnerable path. Regression risk is low: the new size mismatch rejection only affects malformed or inconsistent unfiltered chunk metadata, which is precisely the intended hardening behavior. The omission of the changelog hunk does not affect runtime behavior.


Verdict

APPROVED — All checks passed. Ready to merge.

@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 12, 2026 13:34
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 12, 2026 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants