627882 – (CVE-2010-0405) CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress

Bug 627882 (CVE-2010-0405) - CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress

Summary: CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-0405
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	632170 632171 632172 632173 632174 632268 632269 636057 833882
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-27 09:39 UTC by Tomas Hoger
Modified:	2019-09-29 12:38 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-11 08:19:25 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed patch (1.05 KB, patch) 2010-08-27 09:40 UTC, Tomas Hoger	no flags	Details \| Diff
bzip2 1.0.5 -> 1.0.6 diff (2.21 KB, patch) 2010-09-20 09:23 UTC, Tomas Hoger	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0703	0	normal	SHIPPED_LIVE	Important: bzip2 security update	2010-09-21 01:08:30 UTC
Red Hat Product Errata	RHSA-2010:0858	0	normal	SHIPPED_LIVE	Important: bzip2 security update	2010-11-09 17:40:59 UTC

Description Tomas Hoger 2010-08-27 09:39:39 UTC

A bzip2 security issue was reported to Debian security team:

  Mikołaj Izdebski has discovered an integer overflow flaw in the
  BZ2_decompress function in bzip2/libbz2. An attacker could use a
  crafted bz2 file to cause a denial of service (application crash) or
  potentially to execute arbitrary code. (CVE-2010-0405)

Comment 1 Tomas Hoger 2010-08-27 09:40:49 UTC

Created attachment 441451 [details]
Proposed patch

Comment 7 Tomas Hoger 2010-09-20 09:23:42 UTC

Created attachment 448401 [details]
bzip2 1.0.5 -> 1.0.6 diff

Fix added in bzip2 1.0.6 additional extra sanity checks compared to previously proposed patch.

Comment 8 Tomas Hoger 2010-09-20 09:24:57 UTC

Public now via bzip2 1.0.6 release.

Comment 9 Tomas Hoger 2010-09-20 14:41:56 UTC

CCing clamav maintainers, clamav contains embedded copy of bzip code in libclamav/nsis/bzlib.c .

Comment 10 errata-xmlrpc 2010-09-21 01:08:57 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0703 https://rhn.redhat.com/errata/RHSA-2010-0703.html

Comment 12 Tomas Hoger 2010-09-21 14:44:48 UTC

(In reply to comment #9)
> CCing clamav maintainers, clamav contains embedded copy of bzip code in
> libclamav/nsis/bzlib.c .

This is now fixed in clamav upstream version 0.96.3.  Upstream commit:

http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=fcd8091474d12592d509adcfd0bdd0b0dc8835f5#patch4

Comment 13 Vincent Danen 2010-09-21 16:14:39 UTC

Clamav shouldn't need to be updated because of this.  libclamav uses libbz2, and there are buildrequires on bzip2-devel so it should not be using it's internal bzip2 copy at all.

Comment 14 Tomas Hoger 2010-09-21 18:52:41 UTC

I admit I may be wrong here, or confused by a report mentioning this embedded bzip code copy in clamav.  Looking at the build.log, libclamav/nsis/bzlib.c is compiled when building Fedora clamav packages and does not contain any #ifdefs to wrap system libbz2.  libclamav links system libbz2 and does use it to decompress bz2 files.  nsis/bzlib.c only seems to be used by nsis (Nullsoft Scriptable Install System) unpacker.  Corrections welcome.

Comment 15 Vincent Danen 2010-09-21 20:10:21 UTC

Sorry, looks like you may be right after all.  I'm not sure why it links to libbz2 and also contains this bzlib.c.  At any rate, yes, clamav should be updated to correct this as it does not look as though the system libbz2 changes will have any impact there.

Sorry for adding to the confusion.

Comment 16 errata-xmlrpc 2010-11-10 18:59:26 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0858 https://rhn.redhat.com/errata/RHSA-2010-0858.html

Comment 17 J.Kratochvil 2010-11-11 11:19:10 UTC

I think it's time to move the patch from Fedora 12 updates-testing repository to Fedora 12 updates repository. Updates-testing repository is not enabled by default, so I suppose that a lot of Fedora 12 users are still affected by this security problem.

Note You need to log in before you can comment on or make changes to this bug.