There were several "Security Fixes" for bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900). e.g. RHSA-2024:8922 and RHSA-2024:10803. The problem is that CVE-2019-12900 is 5 years old and bogus. The applied patch causes a change in behavior which causes some bz2 files to no longer decompress. Upstream did a better fix for bzip2 1.0.8. Full story is here: https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/ You can see check that the new bzip2 is broken by running the upstream bzip2 testsuite: $ git clone https://sourceware.org/git/bzip2-tests.git $ cd bzip2-tests $ ./run-tests.sh [...] bzip2: Data integrity error when decompressing. FAIL: ./lbzip2/32767.bz2 Decompress [...] Bad results, look for FAIL and !!! in the logs above - ./lbzip2/32767.bz2 bad decompress result There should obviously be no FAILs. Please revert this patch or apply the followup patch from 1.0.8: https://inbox.sourceware.org/bzip2-devel/f9230fc65a3529b59b31f13494c72a1c01a6148e.camel@klomp.org/ https://sourceware.org/cgit/bzip2/commit/?id=b07b105d1b66e32760095e3602261738443b9e13 Upstream reminder to Please don't "fix" CVE-2019-12900: https://inbox.sourceware.org/bzip2-devel/20241108214034.GC8315@gnu.wildebeest.org
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:0733 https://access.redhat.com/errata/RHSA-2025:0733
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:0925 https://access.redhat.com/errata/RHSA-2025:0925
This issue has been addressed in the following products: RHINT Camel-K 1.10.9 Via RHSA-2025:1154 https://access.redhat.com/errata/RHSA-2025:1154