According to CVE-2019-12900, bzip2 <= version 1.0.6 suffers an issue where code can be executed on any system processing a compromised archive. E.g. a virus scanner for mail unpacking the archive may execute code as the user, running the decompression. Content of the CVE: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.. Please add the commit https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc as patch to the gentoo package. (e.g. as 1.0.6-r3) Thanks. Reproducible: Always Steps to Reproduce: Please see the CVE for reproduction. Actual Results: Unprivileged code being executed Expected Results: Code will not be executed.
Correction: Type: 1.0.6-r2 should be 1.0.6-r11 so a patch as r12 would be nice. Thanks.
As far as I can see, -r11 already includes the fix for CVE-2019-12900: decompress.c:291 if (nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
Fix is already in 1.0.6 https://gitlab.com/federicomenaquintero/bzip2/commit/812a898b7622de90e98f103ff7fed0984e4548e4
