Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 338215 (CVE-2010-0405) - <app-arch/bzip2-1.0.6: Integer overflow in decompress.c (CVE-2010-0405)
Summary: <app-arch/bzip2-1.0.6: Integer overflow in decompress.c (CVE-2010-0405)
Status: RESOLVED FIXED
Alias: CVE-2010-0405
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.cert.fi/en/reports/2010/vu...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-20 18:41 UTC by Dirkjan Ochtman
Modified: 2013-01-09 00:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirkjan Ochtman gentoo-dev 2010-09-20 18:41:33 UTC
Can we have someone look at this?
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-20 21:21:29 UTC
We need a version bump first. :)

@base-system: A rename to 1.0.6 works with the exception of the ${PN}-1.0.4-saneso.patch doesn't apply anymore. If you s/1.0.4/1.0.6/g in the patch, it works and builds. I did not runtime test.
Comment 2 David J Cozatt 2010-09-20 21:46:53 UTC
bzip2 (1.0.5-1ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: fix integer overflow in BZ2_decompress()
    - decompress.c: return error if N is larger than 2*1024^2 which keeps es
      from overflowing but leaves enough room for the 900k maximum value of
      the RUNA/RUNB encoding
    - patch from upstream
    - CVE-2010-0405

 -- Jamie Strandboge   Thu, 09 Sep 2010 10:16:51 -0500

also in openbsd

ListWare

    * Subscribe openbsd-ports
    * Support and FAQ

Home - openbsd - openbsd-ports - 201009 - Thread
security update: archivers/bzip2 1.0.6 CVE-2010-0405
by roberthon 2010-09-20T16:32:12+00:00

    * Previous thread: UPDATE: net-snmp
    * Next thread: Security: archivers/bzip2
    * Threads sorted by date: openbsd-ports 201009

Index: archivers/bzip2/Makefile
==================================================================RCS file: /cvs/ports/archivers/bzip2/Makefile,v
retrieving revision 1.57
diff -u -p -u -p -r1.57 Makefile
COMMENT= block-sorting file compressor, unencumbered
-VERSION= 1.0.5
+VERSION= 1.0.6
DISTNAME= bzip2-${VERSION}
CATEGORIES= archivers
MASTER-SITES= ${HOMEPAGE}${VERSION}/
@@ -15,6 +15,8 @@ PERMIT-PACKAGE-CDROM= Yes
PERMIT-PACKAGE-FTP= Yes
PERMIT-DISTFILES-CDROM= Yes
PERMIT-DISTFILES-FTP= Yes
+
+REVISION= 0
WANTLIB= c
BZ2-CFLAGS= -Wall -Winline
Index: archivers/bzip2/distinfo
==================================================================RCS file: /cvs/ports/archivers/bzip2/distinfo,v
retrieving revision 1.6
diff -u -p -u -p -r1.6 distinfo
Re: security update: archivers/bzip2 1.0.6 CVE-2010-0405
by roberthon 2010-09-20T17:10:58+00:00.
Removed unnecessary REVISON, as pointed out by Markus Lude.
Index: archivers/bzip2/Makefile
==================================================================RCS file: /cvs/ports/archivers/bzip2/Makefile,v
retrieving revision 1.57
diff -u -p -r1.57 Makefile
COMMENT= block-sorting file compressor, unencumbered
-VERSION= 1.0.5
+VERSION= 1.0.6
DISTNAME= bzip2-${VERSION}
CATEGORIES= archivers
MASTER-SITES= ${HOMEPAGE}${VERSION}/
Index: archivers/bzip2/distinfo
==================================================================RCS file: /cvs/ports/archivers/bzip2/distinfo,v
retrieving revision 1.6
diff -u -p -r1.6 distinfo
Comment 3 SpanKY gentoo-dev 2010-09-20 22:01:32 UTC
the summary says "<=1.0.6".  should it perhaps say "<1.0.6" ?
Comment 4 SpanKY gentoo-dev 2010-09-20 22:30:13 UTC
bzip-1.0.6 now in the tree
Comment 5 Dirkjan Ochtman gentoo-dev 2010-09-21 07:57:57 UTC
Can we do speedy stabilization?
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-21 08:00:53 UTC
Arches, please test and mark stable:
=app-arch/bzip2-1.0.6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2010-09-21 11:54:56 UTC
amd64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-09-21 13:09:29 UTC
Stable for PPC.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2010-09-21 13:30:57 UTC
Stable for HPPA.
Comment 10 Thomas Kahle (RETIRED) gentoo-dev 2010-09-21 14:03:28 UTC
Archtested on x86: Everything fine. Let's get going.
Comment 11 Tomáš Chvátal (RETIRED) gentoo-dev 2010-09-22 13:07:17 UTC
(In reply to comment #10)
> Archtested on x86: Everything fine. Let's get going.
> 

My x86 chroot reports the same. Thanks for testing.
x86 stable.
Comment 12 Myckel Habets (work) 2010-09-22 15:45:01 UTC
(In reply to comment #11)
> (In reply to comment #10)
> > Archtested on x86: Everything fine. Let's get going.
> > 
> 
> My x86 chroot reports the same. Thanks for testing.
> x86 stable.
> 

And a third person from x86 confirming that it is ok. ;)
Comment 13 Kerin Millar 2010-09-22 16:39:27 UTC
I wonder how many packages there are that link in libz2 statically, or have the option of doing so. One pertinent example would be app-arch/pbzip2 which has a "static" USE flag. Does anyone agree that it would be worth issuing a revision bump for pbzip2 with a DEPEND on ">=app-arch/bzip2-1.0.6" for the sole purpose of ensuring that those using statically built versions are covered by way of a routine upgrade?
Comment 14 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-22 16:46:11 UTC
If necessary I can give you at least a vague idea about that… but as I said it's vague.
Comment 15 Kerin Millar 2010-09-22 16:47:59 UTC
Here's a full list of packages which depend on app-arch/bzip2 that may be built statically, if anyone is interested. There may be a few false positives as I'm not in a position to verify that each of these actually links in libbz2, as opposed to just calling upon the bzip2 application.

app-arch/dump
app-arch/libarchive
app-arch/pbzip2
app-crypt/gnupg
dev-libs/libpcre
media-gfx/imagemagick
media-libs/coin
media-video/ffmpeg
sys-block/partimage
sys-cluster/cluster-glue
Comment 16 SpanKY gentoo-dev 2010-09-22 18:29:32 UTC
if a package is always linking statically, that's a bug and you should open one

as for people doing USE=static, that isnt our concern for today and it isnt specific to USE=bzip2
Comment 17 Markus Meier gentoo-dev 2010-09-23 20:49:52 UTC
arm stable
Comment 18 Tobias Klausmann gentoo-dev 2010-09-26 16:14:22 UTC
Stable on alpha.
Comment 19 Samuli Suominen (RETIRED) gentoo-dev 2010-09-29 04:48:05 UTC
ppc64 stable
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-01 20:28:35 UTC
CVE-2010-0405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0405):
  Integer overflow in the BZ2_decompress function in decompress.c in
  bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to
  cause a denial of service (application crash) or possibly execute
  arbitrary code via a crafted compressed file.

Comment 21 Raúl Porcel (RETIRED) gentoo-dev 2010-10-09 16:30:55 UTC
ia64/m68k/s390/sh/sparc stable
Comment 22 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-13 04:04:22 UTC
GLSA request filed.
Comment 23 Dirkjan Ochtman gentoo-dev 2012-02-16 14:17:16 UTC
Presumably this can be closed?
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:51:34 UTC
This issue was resolved and addressed in
 GLSA 201301-05 at http://security.gentoo.org/glsa/glsa-201301-05.xml
by GLSA coordinator Stefan Behte (craig).