Bug 2332075 (CVE-2019-12900)

Summary: CVE-2019-12900 bzip2: bzip2: Data integrity error when decompressing (with data integrity tests fail).
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A data integrity error was found in the bzip2 (User-space package) functionality when decompressing. This issue occurs when a user decompresses a particular kind of .bz2 files. A local user could get unexpected results (or corrupted data) as result of decompressing these files.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2332077    
Bug Blocks:    

Description OSIDB Bzimport 2024-12-12 14:02:15 UTC 
There were several "Security Fixes" for bzip2: out-of-bounds
write in function BZ2_decompress (CVE-2019-12900). e.g. RHSA-2024:8922
and RHSA-2024:10803.

The problem is that CVE-2019-12900 is 5 years old and bogus. The
applied patch causes a change in behavior which causes some bz2 files
to no longer decompress.

Upstream did a better fix for bzip2 1.0.8. Full story is here:
https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/

You can see check that the new bzip2 is broken by running the
upstream bzip2 testsuite:

$ git clone https://sourceware.org/git/bzip2-tests.git
$ cd bzip2-tests
$ ./run-tests.sh
[...]
bzip2: Data integrity error when decompressing.
FAIL: ./lbzip2/32767.bz2 Decompress
[...]
Bad results, look for FAIL and !!! in the logs above
 - ./lbzip2/32767.bz2 bad decompress result

There should obviously be no FAILs.

Please revert this patch or apply the followup patch from 1.0.8:
https://inbox.sourceware.org/bzip2-devel/f9230fc65a3529b59b31f13494c72a1c01a6148e.camel@klomp.org/
https://sourceware.org/cgit/bzip2/commit/?id=b07b105d1b66e32760095e3602261738443b9e13

Upstream reminder to Please don't "fix" CVE-2019-12900:
https://inbox.sourceware.org/bzip2-devel/20241108214034.GC8315@gnu.wildebeest.org
Comment 2 errata-xmlrpc 2025-01-28 01:09:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:0733 https://access.redhat.com/errata/RHSA-2025:0733
Comment 3 errata-xmlrpc 2025-02-04 09:15:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:0925 https://access.redhat.com/errata/RHSA-2025:0925
Comment 4 errata-xmlrpc 2025-02-06 16:42:56 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K 1.10.9

Via RHSA-2025:1154 https://access.redhat.com/errata/RHSA-2025:1154