Added CVE info to RELEASE.txt (#4367)

release_docs/RELEASE.txt

@@ -747,6 +747,225 @@ Bug Fixes since HDF5-1.14.0 release
 
     Library
     -------
+    - Fixed many (future) CVE issues
+
+      A partner organization corrected many potential security issues, which
+      were fixed and reported to us before submission to MITRE. These do
+      not have formal CVE issues assigned to them yet, so the numbers assigned
+      here are just placeholders. We will update the HDF5 1.14 CVE list (link
+      below) when official MITRE CVE tracking numbers are assigned.
+
+      These CVE issues are generally of the same form as other reported HDF5
+      CVE issues, and rely on the library failing while attempting to read
+      a malformed file. Most of them cause the library to segfault and will
+      probably be assigned "medium (~5/10)" scores by NIST, like the other
+      HDF5 CVE issues.
+
+      The issues that were reported to us have all been fixed in this release,
+      so HDF5 will continue to have no unfixed public CVE issues.
+
+      NOTE: HDF5 versions earlier than 1.14.4 should be considered vulnerable
+            to these issues and users should upgrade to 1.14.4 as soon as
+            possible. Note that it's possible to build the 1.14 library with
+            HDF5 1.8, 1.10, etc. API bindings for people who wish to enjoy
+            the benefits of a more secure library but don't want to upgrade
+            to the latest API. We will not be bringing the CVE fixes to earlier
+            versions of the library (they are no longer supported).
+
+      LIST OF CVE ISSUES FIXED IN THIS RELEASE:
+
+        * CVE-2024-0116-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5D__scatter_mem resulting in causing denial of service or potential
+            code execution
+
+        * CVE-2024-0112-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5S__point_deserialize resulting in the corruption of the
+            instruction pointer and causing denial of service or potential code
+            execution
+
+        * CVE-2024-0111-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5T__conv_struct_opt resulting in causing denial of service or
+            potential code execution
+
+        * CVE-2023-1208-002
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5O__mtime_new_encode resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1208-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5O__layout_encode resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1207-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5O__dtype_encode_helper causing denial of service or potential
+            code execution
+
+        * CVE-2023-1205-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5VM_array_fill resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1202-002
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5T__get_native_type resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1202-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5T__ref_mem_setnull resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1130-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5T_copy_reopen resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1125-001
+            HDF5 versions <= 1.14.3 contain a heap buffer overflow in
+            H5Z__nbit_decompress_one_byte caused by the earlier use of an
+            initialized pointer. This may result in Denial of Service or
+            potential code execution
+
+        * CVE-2023-1114-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5HG_read resulting in the corruption of the instruction pointer
+            and causing denial of service or potential code execution
+
+        * CVE-2023-1113-002
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5F_addr_decode_len resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1113-001
+            HDF5 versions <= 1.14.3 contain a heap buffer overflow caused by
+            the unsafe use of strdup in H5MM_xstrdup, resulting in denial of
+            service or potential code execution
+
+        * CVE-2023-1108-001
+            HDF5 versions <= 1.14.3 contain a out-of-bounds read operation in
+            H5FL_arr_malloc resulting in denial of service or potential code
+            execution
+
+        * CVE-2023-1104-004
+            HDF5 versions <= 1.14.3 contain a out-of-bounds read operation in
+            H5T_close_real resulting in denial of service or potential code
+            execution
+
+        * CVE-2023-1104-003
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow flaw
+            in the function H5HL__fl_deserialize resulting in denial of service
+            or potential code execution
+
+        * CVE-2023-1104-002
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5HL__fl_deserialize resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1104-001
+            HDF5 library versions <=1.14.3 contains a stack overflow in the
+            function H5E_printf_stack resulting in denial of service or
+            potential code execution
+
+        * CVE-2023-1023-001
+            HDF5 library versions <=1.14.3 heap buffer overflow in
+            H5VM_memcpyvv which may result in denial of service or code
+            execution
+
+        * CVE-2023-1019-001
+            HDF5 library versions <=1.14.3 contain a stack buffer overflow in
+            H5VM_memcpyvv resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1018-001
+            HDF5 library versions <=1.14.3 contain a memory corruption in
+            H5A__close resulting in the corruption of the instruction pointer
+            and causing denial of service or potential code execution
+
+        * CVE-2023-1017-002
+            HDF5 library versions <=1.14.3 may use an uninitialized value
+            H5A__attr_release_table resulting in denial of service
+
+        * CVE-2023-1017-001
+            HDF5 library versions <=1.14.3 may attempt to dereference
+            uninitialized values in h5tools_str_sprint, which will lead to
+            denial of service
+
+        * CVE-2023-1013-004
+            HDF5 versions <= 1.13.3 contain a stack buffer overflow in
+            H5HG_read resulting in denial of service or potential code
+            execution
+
+        * CVE-2023-1013-003
+            HDF5 library versions <=1.14.3 contain a buffer overrun in
+            H5Z__filter_fletcher32 resulting in the corruption of the
+            instruction pointer and causing denial of service or potential
+            code execution
+
+        * CVE-2023-1013-002
+            HDF5 library versions <=1.14.3 contain a buffer overrun in
+            H5O__linfo_decode resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1013-001
+            HDF5 library versions <=1.14.3 contain a buffer overrun in
+            H5Z__filter_scaleoffset resulting in the corruption of the
+            instruction pointer and causing denial of service or potential
+            code execution
+
+        * CVE-2023-1012-001
+            HDF5 library versions <=1.14.3 contain a stack buffer overflow in
+            H5R__decode_heap resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1010-001
+            HDF5 library versions <=1.14.3 contain a stack buffer overflow in
+            H5FL_arr_malloc resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1009-001
+            HDF5 library versions <=1.14.3 contain a stack buffer overflow in
+            H5FL_arr_malloc resulting in the corruption of the instruction
+            pointer and causing denial of service or potential code execution
+
+        * CVE-2023-1006-004
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5A__attr_release_table resulting in the corruption of the
+            instruction pointer and causing denial of service or potential code
+            execution
+
+        * CVE-2023-1006-003
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5T__bit_find resulting in the corruption of the instruction pointer
+            and causing denial of service or potential code execution.
+
+        * CVE-2023-1006-002
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5HG_read resulting in the corruption of the instruction pointer
+            and causing denial of service or potential code execution
+
+        * CVE-2023-1006-001
+            HDF5 library versions <=1.14.3 contain a heap buffer overflow in
+            H5HG__cache_heap_deserialize resulting in the corruption of the
+            instruction pointer and causing denial of service or potential code
+            execution
+
+      FULL OFFICIAL HDF5 CVE list (from mitre.org):
+
+        https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=HDF5
+
+      1.14.x CVE tracking list:
+
+        https://github.com/HDFGroup/hdf5/blob/hdf5_1_14/CVE_list_1_14.md
+
+      HDF5 CVE regression test suite (includes proof-of-concept files):
+
+        https://github.com/HDFGroup/cve_hdf5
+
     - Fixed a divide-by-zero issue when a corrupt file sets the page size to 0
 
       If a corrupt file sets the page buffer size in the superblock to zero,