213820 CVE-2008-1372 2008-03-18 12:30 0000 app-arch/bzip2 <1.0.5 CERT-FI: 20469 Buffer overread (CVE-2008-1372) 2008-04-02 21:31:43 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html A3 [glsa] P2 normal --- 1 hanno@gentoo.org security@gentoo.org arm@gentoo.org m68k@gentoo.org s390@gentoo.org sh@gentoo.org hanno@gentoo.org 2008-03-18 12:30:45 0000 CERT-FI did a fuzzing tool test and discovered issues in various archiving tools. bzip2 is vulnerable, fixed in 1.0.5. This code is probably bundled in some other packages. vapier@gentoo.org 2008-03-18 13:38:19 0000 ive added 1.0.5 to the tree ... now if only they didnt screw up the packaging of it ... rbu@gentoo.org 2008-03-18 13:47:14 0000 Arches, please test and mark stable: =app-arch/bzip2-1.0.5 Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 release s390 sh sparc x86" rbu@gentoo.org 2008-03-18 14:16:44 0000 Created an attachment (id=146488) bzip2-CERT-FI-20469.patch Just for reference, the patch. fmccor@gentoo.org 2008-03-18 16:31:22 0000 Sparc stable. All tests pass, it works on my files, and portage can use it. jer@gentoo.org 2008-03-18 17:17:26 0000 (In reply to comment #4) > Sparc stable. All tests pass, it works on my files, and portage can use it. That's odd. Ferris forgot to mark the ebuild. So er, stable for HPPA and SPARC then. :) dertobi123@gentoo.org 2008-03-18 18:28:17 0000 ppc stable armin76@gentoo.org 2008-03-18 18:30:32 0000 alpha/ia64/x86 stable beandog@gentoo.org 2008-03-19 00:34:46 0000 amd64 stable dirtyepic@gentoo.org 2008-03-19 01:58:29 0000 there's no need to cc mips on security stabilization bugs. we're ~arch only. corsair@gentoo.org 2008-03-19 19:00:37 0000 ppc64 stable pva@gentoo.org 2008-03-19 20:53:31 0000 Fixed in release snapshot. rbu@gentoo.org 2008-03-21 02:17:53 0000 request filed py@gentoo.org 2008-04-02 21:31:43 0000 GLSA 200804-02 146488 2008-03-18 14:16 0000 bzip2-CERT-FI-20469.patch bzip2-CERT-FI-20469.patch text/plain LS0tIGJ6aXAyLTEuMC40L2J6bGliLmMJMjAwNy0wMS0wMyAwMzowMDo1NS4wMDAwMDAwMDAgKzAx MDAKKysrIGJ6aXAyLTEuMC41L2J6bGliLmMJMjAwNy0xMi0wOSAxNDo1NzoyMS4wMDAwMDAwMDAg KzAxMDAKQEAgLTU5OCw2ICs1OTgsNyBAQAogICAgICAgVUludDMyICAgICAgICBjX3RQb3MgICAg ICAgICAgICAgICA9IHMtPnRQb3M7CiAgICAgICBjaGFyKiAgICAgICAgIGNzX25leHRfb3V0ICAg ICAgICAgID0gcy0+c3RybS0+bmV4dF9vdXQ7CiAgICAgICB1bnNpZ25lZCBpbnQgIGNzX2F2YWls X291dCAgICAgICAgID0gcy0+c3RybS0+YXZhaWxfb3V0OworICAgICAgSW50MzIgICAgICAgICBy b19ibG9ja1NpemUxMDBrICAgICA9IHMtPmJsb2NrU2l6ZTEwMGs7CiAgICAgICAvKiBlbmQgcmVz dG9yZSAqLwogCiAgICAgICBVSW50MzIgICAgICAgYXZhaWxfb3V0X0lOSVQgPSBjc19hdmFpbF9v dXQ7Ci0tLSBiemlwMi0xLjAuNC9iemxpYl9wcml2YXRlLmgJMjAwNy0wMS0wMyAwMzowMDo1NS4w MDAwMDAwMDAgKzAxMDAKKysrIGJ6aXAyLTEuMC41L2J6bGliX3ByaXZhdGUuaAkyMDA3LTEyLTA5 IDE1OjAwOjQ2LjAwMDAwMDAwMCArMDEwMApAQCAtNDQyLDExICs0NDIsMTUgQEAKIC8qLS0gTWFj cm9zIGZvciBkZWNvbXByZXNzaW9uLiAtLSovCiAKICNkZWZpbmUgQlpfR0VUX0ZBU1QoY2NjYykg ICAgICAgICAgICAgICAgICAgICBcCisgICAgLyogY190UG9zIGlzIHVuc2lnbmVkLCBoZW5jZSB0 ZXN0IDwgMCBpcyBwb2ludGxlc3MuICovIFwKKyAgICBpZiAocy0+dFBvcyA+PSAoVUludDMyKTEw MDAwMCAqIChVSW50MzIpcy0+YmxvY2tTaXplMTAwaykgcmV0dXJuIFRydWU7IFwKICAgICBzLT50 UG9zID0gcy0+dHRbcy0+dFBvc107ICAgICAgICAgICAgICAgICBcCiAgICAgY2NjYyA9IChVQ2hh cikocy0+dFBvcyAmIDB4ZmYpOyAgICAgICAgICAgXAogICAgIHMtPnRQb3MgPj49IDg7CiAKICNk ZWZpbmUgQlpfR0VUX0ZBU1RfQyhjY2NjKSAgICAgICAgICAgICAgICAgICBcCisgICAgLyogY190 UG9zIGlzIHVuc2lnbmVkLCBoZW5jZSB0ZXN0IDwgMCBpcyBwb2ludGxlc3MuICovIFwKKyAgICBp ZiAoY190UG9zID49IChVSW50MzIpMTAwMDAwICogKFVJbnQzMilyb19ibG9ja1NpemUxMDBrKSBy ZXR1cm4gVHJ1ZTsgXAogICAgIGNfdFBvcyA9IGNfdHRbY190UG9zXTsgICAgICAgICAgICAgICAg ICAgIFwKICAgICBjY2NjID0gKFVDaGFyKShjX3RQb3MgJiAweGZmKTsgICAgICAgICAgICBcCiAg ICAgY190UG9zID4+PSA4OwpAQCAtNDY5LDggKzQ3MywxMCBAQAogICAgKCgoVUludDMyKXMtPmxs MTZbaV0pIHwgKEdFVF9MTDQoaSkgPDwgMTYpKQogCiAjZGVmaW5lIEJaX0dFVF9TTUFMTChjY2Nj KSAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCi0gICAgICBjY2NjID0gQloyX2luZGV4SW50 b0YgKCBzLT50UG9zLCBzLT5jZnRhYiApOyAgICBcCi0gICAgICBzLT50UG9zID0gR0VUX0xMKHMt PnRQb3MpOworICAgIC8qIGNfdFBvcyBpcyB1bnNpZ25lZCwgaGVuY2UgdGVzdCA8IDAgaXMgcG9p bnRsZXNzLiAqLyBcCisgICAgaWYgKHMtPnRQb3MgPj0gKFVJbnQzMikxMDAwMDAgKiAoVUludDMy KXMtPmJsb2NrU2l6ZTEwMGspIHJldHVybiBUcnVlOyBcCisgICAgY2NjYyA9IEJaMl9pbmRleElu dG9GICggcy0+dFBvcywgcy0+Y2Z0YWIgKTsgICAgXAorICAgIHMtPnRQb3MgPSBHRVRfTEwocy0+ dFBvcyk7CiAKIAogLyotLSBleHRlcm5zIGZvciBkZWNvbXByZXNzaW9uLiAtLSovCg==