Bug 338215 (CVE-2010-0405)

Comment 1 Jeremy Olexa (darkside) (RETIRED) 2010-09-20 21:21:29 UTC

We need a version bump first. :)

@base-system: A rename to 1.0.6 works with the exception of the ${PN}-1.0.4-saneso.patch doesn't apply anymore. If you s/1.0.4/1.0.6/g in the patch, it works and builds. I did not runtime test.

bzip2 (1.0.5-1ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: fix integer overflow in BZ2_decompress()
    - decompress.c: return error if N is larger than 2*1024^2 which keeps es
      from overflowing but leaves enough room for the 900k maximum value of
      the RUNA/RUNB encoding
    - patch from upstream
    - CVE-2010-0405

 -- Jamie Strandboge   Thu, 09 Sep 2010 10:16:51 -0500

also in openbsd

ListWare

    * Subscribe openbsd-ports
    * Support and FAQ

Home - openbsd - openbsd-ports - 201009 - Thread
security update: archivers/bzip2 1.0.6 CVE-2010-0405
by roberthon 2010-09-20T16:32:12+00:00

    * Previous thread: UPDATE: net-snmp
    * Next thread: Security: archivers/bzip2
    * Threads sorted by date: openbsd-ports 201009

Index: archivers/bzip2/Makefile
==================================================================RCS file: /cvs/ports/archivers/bzip2/Makefile,v
retrieving revision 1.57
diff -u -p -u -p -r1.57 Makefile
COMMENT= block-sorting file compressor, unencumbered
-VERSION= 1.0.5
+VERSION= 1.0.6
DISTNAME= bzip2-${VERSION}
CATEGORIES= archivers
MASTER-SITES= ${HOMEPAGE}${VERSION}/
@@ -15,6 +15,8 @@ PERMIT-PACKAGE-CDROM= Yes
PERMIT-PACKAGE-FTP= Yes
PERMIT-DISTFILES-CDROM= Yes
PERMIT-DISTFILES-FTP= Yes
+
+REVISION= 0
WANTLIB= c
BZ2-CFLAGS= -Wall -Winline
Index: archivers/bzip2/distinfo
==================================================================RCS file: /cvs/ports/archivers/bzip2/distinfo,v
retrieving revision 1.6
diff -u -p -u -p -r1.6 distinfo
Re: security update: archivers/bzip2 1.0.6 CVE-2010-0405
by roberthon 2010-09-20T17:10:58+00:00.
Removed unnecessary REVISON, as pointed out by Markus Lude.
Index: archivers/bzip2/Makefile
==================================================================RCS file: /cvs/ports/archivers/bzip2/Makefile,v
retrieving revision 1.57
diff -u -p -r1.57 Makefile
COMMENT= block-sorting file compressor, unencumbered
-VERSION= 1.0.5
+VERSION= 1.0.6
DISTNAME= bzip2-${VERSION}
CATEGORIES= archivers
MASTER-SITES= ${HOMEPAGE}${VERSION}/
Index: archivers/bzip2/distinfo
==================================================================RCS file: /cvs/ports/archivers/bzip2/distinfo,v
retrieving revision 1.6
diff -u -p -r1.6 distinfo

Comment 3 SpanKY 2010-09-20 22:01:32 UTC

the summary says "<=1.0.6".  should it perhaps say "<1.0.6" ?

Comment 4 SpanKY 2010-09-20 22:30:13 UTC

bzip-1.0.6 now in the tree

Comment 5 Dirkjan Ochtman (RETIRED) 2010-09-21 07:57:57 UTC

Can we do speedy stabilization?

Comment 6 Alex Legler (RETIRED) 2010-09-21 08:00:53 UTC

Arches, please test and mark stable:
=app-arch/bzip2-1.0.6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 7 Markos Chandras (RETIRED) 2010-09-21 11:54:56 UTC

amd64 done

Comment 8 Jeroen Roovers (RETIRED) 2010-09-21 13:09:29 UTC

Stable for PPC.

Comment 9 Jeroen Roovers (RETIRED) 2010-09-21 13:30:57 UTC

Stable for HPPA.

Comment 10 Thomas Kahle (RETIRED) 2010-09-21 14:03:28 UTC

Archtested on x86: Everything fine. Let's get going.

Comment 11 Tomáš Chvátal (RETIRED) 2010-09-22 13:07:17 UTC

(In reply to comment #10)
> Archtested on x86: Everything fine. Let's get going.
> 

My x86 chroot reports the same. Thanks for testing.
x86 stable.

(In reply to comment #11)
> (In reply to comment #10)
> > Archtested on x86: Everything fine. Let's get going.
> > 
> 
> My x86 chroot reports the same. Thanks for testing.
> x86 stable.
> 

And a third person from x86 confirming that it is ok. ;)

I wonder how many packages there are that link in libz2 statically, or have the option of doing so. One pertinent example would be app-arch/pbzip2 which has a "static" USE flag. Does anyone agree that it would be worth issuing a revision bump for pbzip2 with a DEPEND on ">=app-arch/bzip2-1.0.6" for the sole purpose of ensuring that those using statically built versions are covered by way of a routine upgrade?

Comment 14 Diego Elio Pettenò (RETIRED) 2010-09-22 16:46:11 UTC

If necessary I can give you at least a vague idea about that… but as I said it's vague.

Here's a full list of packages which depend on app-arch/bzip2 that may be built statically, if anyone is interested. There may be a few false positives as I'm not in a position to verify that each of these actually links in libbz2, as opposed to just calling upon the bzip2 application.

app-arch/dump
app-arch/libarchive
app-arch/pbzip2
app-crypt/gnupg
dev-libs/libpcre
media-gfx/imagemagick
media-libs/coin
media-video/ffmpeg
sys-block/partimage
sys-cluster/cluster-glue

Comment 16 SpanKY 2010-09-22 18:29:32 UTC

if a package is always linking statically, that's a bug and you should open one

as for people doing USE=static, that isnt our concern for today and it isnt specific to USE=bzip2

Comment 17 Markus Meier 2010-09-23 20:49:52 UTC

arm stable

Comment 18 Tobias Klausmann (RETIRED) 2010-09-26 16:14:22 UTC

Stable on alpha.

Comment 19 Samuli Suominen (RETIRED) 2010-09-29 04:48:05 UTC

ppc64 stable

Comment 20 Stefan Behte (RETIRED) 2010-10-01 20:28:35 UTC

CVE-2010-0405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0405):
  Integer overflow in the BZ2_decompress function in decompress.c in
  bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to
  cause a denial of service (application crash) or possibly execute
  arbitrary code via a crafted compressed file.

Comment 21 Raúl Porcel (RETIRED) 2010-10-09 16:30:55 UTC

ia64/m68k/s390/sh/sparc stable

Comment 22 Stefan Behte (RETIRED) 2010-10-13 04:04:22 UTC

GLSA request filed.

Comment 23 Dirkjan Ochtman (RETIRED) 2012-02-16 14:17:16 UTC

Presumably this can be closed?

Comment 24 GLSAMaker/CVETool Bot 2013-01-09 00:51:34 UTC

This issue was resolved and addressed in
 GLSA 201301-05 at http://security.gentoo.org/glsa/glsa-201301-05.xml
by GLSA coordinator Stefan Behte (craig).