Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 688614 (CVE-2019-12900)

Summary: <app-arch/bzip2-1.0.6-r11: out-of-bounds write
Product: Gentoo Security Reporter: Robert Holzknecht <nightdragon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: critical CC: nightdragon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Robert Holzknecht 2019-06-24 14:59:55 UTC
According to CVE-2019-12900, bzip2 <= version 1.0.6 suffers an issue where code can be executed on any system processing a compromised archive. E.g. a virus scanner for mail unpacking the archive may execute code as the user, running the decompression.

Content of the CVE:
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors..

Please add the commit as patch to the gentoo package. (e.g. as 1.0.6-r3)


Reproducible: Always

Steps to Reproduce:
Please see the CVE for reproduction.
Actual Results:  
Unprivileged code being executed 

Expected Results:  
Code will not be executed.
Comment 1 Robert Holzknecht 2019-06-24 15:01:51 UTC
Correction: Type: 1.0.6-r2 should be 1.0.6-r11 so a patch as r12 would be nice.

Comment 2 Alexander Bezrukov 2019-06-29 21:54:17 UTC
As far as I can see, -r11 already includes the fix for CVE-2019-12900:

decompress.c:291  if (nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-08-10 16:59:35 UTC
Fix is already in 1.0.6