The libraries for the scientific data file format, Common Data
Format (CDF) version 3.2 and earlier, have the potential for a
buffer overflow vulnerability when reading specially-crafted
(invalid) CDF files. If successful, this could trigger execution
of arbitrary code within the context of the CDF-reading program
that could be exploited to compromise a system, or otherwise
crash the program. While it's unlikely that you would open CDFs
from untrusted sources, we recommend everyone upgrade to the
latest CDF libraries on their systems, including the IDL and
Matlab plugins. Most worrisome is any service that enables the
general public to submit CDF files for processing.
The vulnerability is in the CDF library routines not properly
checking the length tags on a CDF file before copying data to a
stack buffer. Exploitation requires the user to explicitly open
a specially-crafted file. CDF users should not open files from
untrusted third parties until the patch is applied (and continue
then to exercise normal caution for files from untrusted third
parties).