HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. — CVE-2024-29159

Zusammenfassung

Sicherheitshinweis CVE-2024-29159. HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset resulting in the corruption of the instruction pointer and… Hersteller: Microsoft. Quelle: MSRC. Risiko: critical. CVSS 9.8.…

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

• Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
• Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
• Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
• Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Zur offiziellen Quelle

Mehr dazu

• GitHub: CVE-2024-32002 Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution CVE-2024-32002
• HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5HG_read in H5HG.c (called from H5VL__native_blob_get in H5VLnative_blob.c) resulting in the corruption of the instruction pointer. CVE-2024-32621
• HDF5 Library through 1.14.3 contains a out-of-bounds read operation in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in H5S.c). CVE-2024-32622
• HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c. CVE-2024-32611
• HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVE-2024-29157
• Memory safety bugs present in Firefox 125. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126. CVE-2024-4778
• .NET and Visual Studio Remote Code Execution Vulnerability CVE-2024-30045
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2023-4133
• ACPI: CPPC: Use access_width over bit_width for system memory accesses CVE-2024-35995
• amd/amdkfd: sync all devices to wait all processes being evicted CVE-2024-36949
• An HTTP digest authentication nonce value was generated using `rand()` which could lead to predictable values. This vulnerability affects Firefox &lt; 126. CVE-2024-4772
• An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. CVE-2024-33394