Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 688614 (CVE-2019-12900) - <app-arch/bzip2-1.0.6-r11: out-of-bounds write
Summary: <app-arch/bzip2-1.0.6-r11: out-of-bounds write
Alias: CVE-2019-12900
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Whiteboard: A4 [noglsa cve]
Depends on:
Reported: 2019-06-24 14:59 UTC by Robert Holzknecht
Modified: 2019-08-10 16:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Holzknecht 2019-06-24 14:59:55 UTC
According to CVE-2019-12900, bzip2 <= version 1.0.6 suffers an issue where code can be executed on any system processing a compromised archive. E.g. a virus scanner for mail unpacking the archive may execute code as the user, running the decompression.

Content of the CVE:
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors..

Please add the commit as patch to the gentoo package. (e.g. as 1.0.6-r3)


Reproducible: Always

Steps to Reproduce:
Please see the CVE for reproduction.
Actual Results:  
Unprivileged code being executed 

Expected Results:  
Code will not be executed.
Comment 1 Robert Holzknecht 2019-06-24 15:01:51 UTC
Correction: Type: 1.0.6-r2 should be 1.0.6-r11 so a patch as r12 would be nice.

Comment 2 Alexander Bezrukov 2019-06-29 21:54:17 UTC
As far as I can see, -r11 already includes the fix for CVE-2019-12900:

decompress.c:291  if (nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-08-10 16:59:35 UTC
Fix is already in 1.0.6