CVE-2016-4330
Published: 18 November 2016
In the HDF5 1.8.16 library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.
From the Ubuntu Security Team
It was discovered that HDF5 incorrectly handled certain input files. An attacker could possibly use this issue to execute arbitrary code.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
hdf5 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(1.10.0-patch1+docs-1~exp5)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Released
(1.8.11-5ubuntu7.1)
|
|
| upstream |
Released
(1.8.18)
|
|
| xenial |
Released
(1.8.16+docs-4ubuntu1.1)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.6 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |