According to CVE-2019-12900, bzip2 <= version 1.0.6 suffers an issue where code can be executed on any system processing a compromised archive. E.g. a virus scanner for mail unpacking the archive may execute code as the user, running the decompression.
Content of the CVE:
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors..
Please add the commit https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc as patch to the gentoo package. (e.g. as 1.0.6-r3)
Steps to Reproduce:
Please see the CVE for reproduction.
Unprivileged code being executed
Code will not be executed.
Correction: Type: 1.0.6-r2 should be 1.0.6-r11 so a patch as r12 would be nice.
As far as I can see, -r11 already includes the fix for CVE-2019-12900:
decompress.c:291 if (nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
Fix is already in 1.0.6