Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213820 (CVE-2008-1372) - app-arch/bzip2 <1.0.5 CERT-FI: 20469 Buffer overread (CVE-2008-1372)
Summary: app-arch/bzip2 <1.0.5 CERT-FI: 20469 Buffer overread (CVE-2008-1372)
Alias: CVE-2008-1372
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2008-03-18 12:30 UTC by Hanno Böck
Modified: 2020-04-06 21:01 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

bzip2-CERT-FI-20469.patch (bzip2-CERT-FI-20469.patch,1.72 KB, patch)
2008-03-18 14:16 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-03-18 12:30:45 UTC
CERT-FI did a fuzzing tool test and discovered issues in various archiving tools.

bzip2 is vulnerable, fixed in 1.0.5. This code is probably bundled in some other packages.
Comment 1 SpanKY gentoo-dev 2008-03-18 13:38:19 UTC
ive added 1.0.5 to the tree ... now if only they didnt screw up the packaging of it ...
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 13:47:14 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 release s390 sh sparc x86"
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 14:16:44 UTC
Created attachment 146488 [details, diff]

Just for reference, the patch.
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-03-18 16:31:22 UTC
Sparc stable.  All tests pass, it works on my files, and portage can use it.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-18 17:17:26 UTC
(In reply to comment #4)
> Sparc stable.  All tests pass, it works on my files, and portage can use it.

That's odd. Ferris forgot to mark the ebuild. So er, stable for HPPA and SPARC then. :)
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-18 18:28:17 UTC
ppc stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-03-18 18:30:32 UTC
alpha/ia64/x86 stable
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2008-03-19 00:34:46 UTC
amd64 stable
Comment 9 Ryan Hill (RETIRED) gentoo-dev 2008-03-19 01:58:29 UTC
there's no need to cc mips on security stabilization bugs.  we're ~arch only.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2008-03-19 19:00:37 UTC
ppc64 stable
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-03-19 20:53:31 UTC
Fixed in release snapshot.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 02:17:53 UTC
request filed
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-02 21:31:43 UTC
GLSA 200804-02