Bug 627882 (CVE-2010-0405)
| Summary: | CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | unspecified | CC: | dshaw, jkratoch, nb, ondrejj, redhat-bugzilla, rh-bugzilla, security-response-team, steve, varekova, vdanen | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2010-11-11 08:19:25 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 632170, 632171, 632172, 632173, 632174, 632268, 632269, 636057, 833882 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Tomas Hoger
2010-08-27 09:39:39 UTC
Created attachment 441451 [details]
Proposed patch
Created attachment 448401 [details]
bzip2 1.0.5 -> 1.0.6 diff
Fix added in bzip2 1.0.6 additional extra sanity checks compared to previously proposed patch.
Public now via bzip2 1.0.6 release. CCing clamav maintainers, clamav contains embedded copy of bzip code in libclamav/nsis/bzlib.c . This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0703 https://rhn.redhat.com/errata/RHSA-2010-0703.html (In reply to comment #9) > CCing clamav maintainers, clamav contains embedded copy of bzip code in > libclamav/nsis/bzlib.c . This is now fixed in clamav upstream version 0.96.3. Upstream commit: http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=fcd8091474d12592d509adcfd0bdd0b0dc8835f5#patch4 Clamav shouldn't need to be updated because of this. libclamav uses libbz2, and there are buildrequires on bzip2-devel so it should not be using it's internal bzip2 copy at all. I admit I may be wrong here, or confused by a report mentioning this embedded bzip code copy in clamav. Looking at the build.log, libclamav/nsis/bzlib.c is compiled when building Fedora clamav packages and does not contain any #ifdefs to wrap system libbz2. libclamav links system libbz2 and does use it to decompress bz2 files. nsis/bzlib.c only seems to be used by nsis (Nullsoft Scriptable Install System) unpacker. Corrections welcome. Sorry, looks like you may be right after all. I'm not sure why it links to libbz2 and also contains this bzlib.c. At any rate, yes, clamav should be updated to correct this as it does not look as though the system libbz2 changes will have any impact there. Sorry for adding to the confusion. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0858 https://rhn.redhat.com/errata/RHSA-2010-0858.html I think it's time to move the patch from Fedora 12 updates-testing repository to Fedora 12 updates repository. Updates-testing repository is not enabled by default, so I suppose that a lot of Fedora 12 users are still affected by this security problem. |