Bug 213820 - app-arch/bzip2 <1.0.5 CERT-FI: 20469 Buffer overread (CVE-2008-1372)
Bug#: 213820 (CVE-2008-1372) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: hanno@gentoo.org
Component: Vulnerabilities
URL:  https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
Summary: app-arch/bzip2 <1.0.5 CERT-FI: 20469 Buffer overread (CVE-2008-1372)
Keywords:  
Status Whiteboard: A3 [glsa]
Opened: 2008-03-18 12:30 0000
Description:   Opened: 2008-03-18 12:30 0000 
CERT-FI did a fuzzing tool test and discovered issues in various archiving
tools.

bzip2 is vulnerable, fixed in 1.0.5. This code is probably bundled in some
other packages.

------- Comment #1 From SpanKY 2008-03-18 13:38:19 0000 ------- 
ive added 1.0.5 to the tree ... now if only they didnt screw up the packaging
of it ...

------- Comment #2 From Robert Buchholz 2008-03-18 13:47:14 0000 ------- 
Arches, please test and mark stable:
=app-arch/bzip2-1.0.5
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 release s390
sh sparc x86"

------- Comment #3 From Robert Buchholz 2008-03-18 14:16:44 0000 ------- 
Created an attachment (id=146488) [details]
bzip2-CERT-FI-20469.patch

Just for reference, the patch.

------- Comment #4 From Ferris McCormick 2008-03-18 16:31:22 0000 ------- 
Sparc stable.  All tests pass, it works on my files, and portage can use it.

------- Comment #5 From Jeroen Roovers 2008-03-18 17:17:26 0000 ------- 
(In reply to comment #4)
> Sparc stable.  All tests pass, it works on my files, and portage can use it.

That's odd. Ferris forgot to mark the ebuild. So er, stable for HPPA and SPARC
then. :)

------- Comment #6 From Tobias Scherbaum 2008-03-18 18:28:17 0000 ------- 
ppc stable

------- Comment #7 From Raúl Porcel 2008-03-18 18:30:32 0000 ------- 
alpha/ia64/x86 stable

------- Comment #8 From Steve Dibb 2008-03-19 00:34:46 0000 ------- 
amd64 stable

------- Comment #9 From Ryan Hill 2008-03-19 01:58:29 0000 ------- 
there's no need to cc mips on security stabilization bugs.  we're ~arch only.

------- Comment #10 From Markus Rothe 2008-03-19 19:00:37 0000 ------- 
ppc64 stable

------- Comment #11 From Peter Volkov 2008-03-19 20:53:31 0000 ------- 
Fixed in release snapshot.

------- Comment #12 From Robert Buchholz 2008-03-21 02:17:53 0000 ------- 
request filed

------- Comment #13 From Pierre-Yves Rofes 2008-04-02 21:31:43 0000 ------- 
GLSA 200804-02