[AutoPR- Security] Patch hdf5 for CVE-2025-44904 [HIGH]#17981
[AutoPR- Security] Patch hdf5 for CVE-2025-44904 [HIGH]#17981azurelinux-security wants to merge 2 commits into
Conversation
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
🔒 CVE Patch Review: CVE-2025-44904PR #17981 — [AutoPR- Security] Patch hdf5 for CVE-2025-44904 [HIGH] Spec File Validation
Build Verification
🤖 AI Build Log Analysis
🧪 Test Log Analysis
🤖 AI Test Log Analysis
Patch Analysis
Detailed analysisThe main security-relevant hunks in H5D__chunk_lock() are present and aligned with upstream intent. Specifically, the PR renames chunk_alloc to chunk_disk_size, preserves the saved chunk metadata, adds the new validation that rejects unfiltered chunks when the index-reported on-disk size differs from the inferred chunk_size, converts chunk_disk_size to size_t via H5_CHECKED_ASSIGN before allocation/use, allocates based on the disk size, reads exactly chunk_disk_size bytes from disk, passes chunk_nbytes through H5Z_pipeline for filtered chunks, and updates the cache entry length to chunk_disk_size. These are the core changes that prevent the buffer size mismatch leading to the overflow condition described in CVE-2025-44904. Differences versus upstream are mostly expected backport artifacts: the patch is stored under SPECS/hdf5/CVE-2025-44904.patch, includes downstream patch metadata, omits the release_docs/CHANGELOG.md documentation hunk, and applies at older line numbers / source indices. One notable source-level difference is that upstream split the declaration and initialization of the size_t variables into declarations plus H5_CHECKED_ASSIGN, while the older tree appears to have had direct initialization originally; the PR correctly adopts the safer checked-assignment pattern from upstream. Another difference is the final H5_CHECKED_ASSIGN target type for ent->rd_count: upstream shows hsize_t, while the PR uses uint32_t, which strongly suggests a structural difference in the older branch rather than a regression introduced by this patch. Because the security check and data-flow changes are intact, the backport appears complete for the vulnerable path. Regression risk is low: the new size mismatch rejection only affects malformed or inconsistent unfiltered chunk metadata, which is precisely the intended hardening behavior. The omission of the changelog hunk does not affect runtime behavior. Verdict✅ APPROVED — All checks passed. Ready to merge. |

Auto Patch hdf5 for CVE-2025-44904.
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1156894&view=results
CVE-2025-44904 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1156895&view=results
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology