Bug 438118 (CVE-2008-1372)

Summary: CVE-2008-1372 bzip2: crash on malformed archive file
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amyagi, bressers, jlieskov, kreilly, moritz, skakar, varekova
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1372
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-01 18:30:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 439854, 439855, 461583, 461584, 461585, 461586, 461587, 461588, 833881    
Bug Blocks: 430753    
Attachments:
Description Flags
Upstream patch none

Description Tomas Hoger 2008-03-19 08:09:07 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1372 to the following vulnerability:

bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite.

References:

http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
http://bzip.org/
https://bugs.gentoo.org/attachment.cgi?id=146488&action=view
http://www.kb.cert.org/vuls/id/813451
http://www.securityfocus.com/bid/28286
http://www.frsirt.com/english/advisories/2008/0915
Comment 2 Josh Bressers 2008-03-20 14:03:52 UTC 
Created attachment 298695 [details]
Upstream patch
Comment 6 Josh Bressers 2008-03-31 20:14:35 UTC 
Red Hat does not consider this flaw a security issue. After conducting a
thorough analysis of this flaw, Red Hat believes this issue can only result in a
crash of the bunzip2 process, which we do not consider to have any security impact.
Comment 7 Fedora Update System 2008-04-09 05:18:19 UTC 
bzip2-1.0.4-13.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-04-09 05:22:20 UTC 
bzip2-1.0.4-11.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-09-09 09:43:55 UTC 
We have reviewed this bug and will be providing bzip2 updates with backported patch for this issue for Red Hat Enterprise Linux as well.  This issue does not only affect bunzip2 (where this flaw has no security implications), but may also affect any application linked against libbz2 library, including customer-specific applications not shipped in Red Hat Enterprise Linux.  In such use-case, crash / DoS may have security implications.
Comment 12 Red Hat Product Security 2008-10-01 18:30:37 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0893.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2970