Bug 688614 (CVE-2019-12900)

Summary:	<app-arch/bzip2-1.0.6-r11: out-of-bounds write
Product:	Gentoo Security	Reporter:	Robert Holzknecht <nightdragon>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	nightdragon
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://nvd.nist.gov/vuln/detail/CVE-2019-12900
Whiteboard:	A4 [noglsa cve]
Package list:		Runtime testing required:	---

Description Robert Holzknecht 2019-06-24 14:59:55 UTC

According to CVE-2019-12900, bzip2 <= version 1.0.6 suffers an issue where code can be executed on any system processing a compromised archive. E.g. a virus scanner for mail unpacking the archive may execute code as the user, running the decompression.

Content of the CVE:
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors..

Please add the commit https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc as patch to the gentoo package. (e.g. as 1.0.6-r3)

Thanks.

Reproducible: Always

Steps to Reproduce:
Please see the CVE for reproduction.
Actual Results:  
Unprivileged code being executed 

Expected Results:  
Code will not be executed.

Comment 1 Robert Holzknecht 2019-06-24 15:01:51 UTC

Correction: Type: 1.0.6-r2 should be 1.0.6-r11 so a patch as r12 would be nice.

Thanks.

Comment 2 Alexander Bezrukov 2019-06-29 21:54:17 UTC

As far as I can see, -r11 already includes the fix for CVE-2019-12900:

decompress.c:291  if (nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2019-08-10 16:59:35 UTC

Fix is already in 1.0.6
 https://gitlab.com/federicomenaquintero/bzip2/commit/812a898b7622de90e98f103ff7fed0984e4548e4