Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 620466 (CVE-2016-3189)

Summary: <app-arch/bzip2-1.0.6-r8: heap use after free in bzip2recover
Product: Gentoo Security Reporter: Andrey Ovcharov <sudormrfhalt>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: ago, base-system, jstein
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Description Flags
CVE-2016-3189.patch none

Description Andrey Ovcharov 2017-06-03 05:07:51 UTC
Created attachment 475058 [details, diff]

current app-arch/bzip2-1.0.6-r7 affected CVE-2016-3189
Comment 1 Jonas Stein gentoo-dev 2017-06-03 08:12:44 UTC
Thank you
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-06-03 11:49:38 UTC
commit fd4e6acf26c5766cfe17b4d1be223afcd0bab1e0 (HEAD -> master, origin/master, origin/HEAD)             
Author: Lars Wendler <>      
Date:   Sat Jun 3 13:48:46 2017                     

    app-arch/bzip2: Security revbump to fix CVE-2016-3189 (bug #620466).                                 
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-06-03 11:51:08 UTC
Arches please test and mark stable =app-arch/bzip2-1.0.6-r8 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-03 12:30:56 UTC
A duplicate of 586670, however, a READ issue in a command line tool is not considered cve-worthy, so this is not a security issue at all.
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-04 10:35:08 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-04 10:43:54 UTC
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-04 19:21:57 UTC
Stable on alpha.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-04 19:38:12 UTC
ia64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 20:34:40 UTC
*** Bug 586670 has been marked as a duplicate of this bug. ***
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 20:38:15 UTC
New GLSA request filed.
Comment 11 Markus Meier gentoo-dev 2017-06-08 05:10:06 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-06-10 13:48:25 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-06-13 12:34:15 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-06-21 12:02:11 UTC
ppc stable
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2017-08-02 03:09:47 UTC
Arches or maintainers please stabilize for Hippo ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2017-08-21 01:30:20 UTC
This issue was resolved and addressed in
 GLSA 201708-08 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-21 01:31:15 UTC
Re-opening for remaining architecture.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2017-09-03 21:59:40 UTC
hppa stabilization (see Bug #629554)
Maintainer(s), please drop the vulnerable version(s).
Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-09 20:03:17 UTC
stable for hppa (thank to Dakon)

Last arch is done here.
Comment 20 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-10 03:04:27 UTC
Thank you,

@Maintainers please let us know when all vulnerable versions are dropped from tree.

Gentoo Security Padawan
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2017-10-02 04:34:55 UTC
Maintainer(s), please drop the vulnerable version(s).
New month (October), vulnerable version still in tree.
Comment 22 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-02 09:13:12 UTC
Cleaned up via

Repository is clean, all done.