(based on an email by Niko Tyni of Debian) CVE-2009-1884: Paul Marquess <Paul.Marquess@ntlworld.com>, the upstream author of Compress-Raw-{Zlib,Bzip2}, reported that Compress-Raw-Bzip2 has an identical off-by-one buffer overflow as Compress-Raw-Zlib (CVE-2009-1391). The bug was fixed upstream in 2.018, patch is attached for reference.
Created attachment 201642 [details, diff] CVE-2009-1884.patch
=perl-core/Compress-Raw-Bzip2-2.020 is stable, so this is glsa-ready.
GLSA 200908-07
CVE-2009-1884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1884): Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows context-dependent attackers to cause a denial of service (application hang or crash) via a crafted bzip2 compressed stream that triggers a buffer overflow, a related issue to CVE-2009-1391.