Bug 627882 (CVE-2010-0405) - CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress
Summary: CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0405
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,source=vendor-sec,re...
Depends On: 632170 632171 632172 632173 632174 632268 632269 636057 833882
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-27 09:39 UTC by Tomas Hoger
Modified: 2019-06-08 13:05 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-11 08:19:25 UTC


Attachments (Terms of Use)
Proposed patch (1.05 KB, patch)
2010-08-27 09:40 UTC, Tomas Hoger
no flags Details | Diff
bzip2 1.0.5 -> 1.0.6 diff (2.21 KB, patch)
2010-09-20 09:23 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0703 normal SHIPPED_LIVE Important: bzip2 security update 2010-09-21 01:08:30 UTC
Red Hat Product Errata RHSA-2010:0858 normal SHIPPED_LIVE Important: bzip2 security update 2010-11-09 17:40:59 UTC

Description Tomas Hoger 2010-08-27 09:39:39 UTC
A bzip2 security issue was reported to Debian security team:

  Mikołaj Izdebski has discovered an integer overflow flaw in the
  BZ2_decompress function in bzip2/libbz2. An attacker could use a
  crafted bz2 file to cause a denial of service (application crash) or
  potentially to execute arbitrary code. (CVE-2010-0405)

Comment 1 Tomas Hoger 2010-08-27 09:40:49 UTC
Created attachment 441451 [details]
Proposed patch

Comment 7 Tomas Hoger 2010-09-20 09:23:42 UTC
Created attachment 448401 [details]
bzip2 1.0.5 -> 1.0.6 diff

Fix added in bzip2 1.0.6 additional extra sanity checks compared to previously proposed patch.

Comment 8 Tomas Hoger 2010-09-20 09:24:57 UTC
Public now via bzip2 1.0.6 release.

Comment 9 Tomas Hoger 2010-09-20 14:41:56 UTC
CCing clamav maintainers, clamav contains embedded copy of bzip code in libclamav/nsis/bzlib.c .

Comment 10 errata-xmlrpc 2010-09-21 01:08:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0703 https://rhn.redhat.com/errata/RHSA-2010-0703.html

Comment 12 Tomas Hoger 2010-09-21 14:44:48 UTC
(In reply to comment #9)
> CCing clamav maintainers, clamav contains embedded copy of bzip code in
> libclamav/nsis/bzlib.c .

This is now fixed in clamav upstream version 0.96.3.  Upstream commit:

http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=fcd8091474d12592d509adcfd0bdd0b0dc8835f5#patch4

Comment 13 Vincent Danen 2010-09-21 16:14:39 UTC
Clamav shouldn't need to be updated because of this.  libclamav uses libbz2, and there are buildrequires on bzip2-devel so it should not be using it's internal bzip2 copy at all.

Comment 14 Tomas Hoger 2010-09-21 18:52:41 UTC
I admit I may be wrong here, or confused by a report mentioning this embedded bzip code copy in clamav.  Looking at the build.log, libclamav/nsis/bzlib.c is compiled when building Fedora clamav packages and does not contain any #ifdefs to wrap system libbz2.  libclamav links system libbz2 and does use it to decompress bz2 files.  nsis/bzlib.c only seems to be used by nsis (Nullsoft Scriptable Install System) unpacker.  Corrections welcome.

Comment 15 Vincent Danen 2010-09-21 20:10:21 UTC
Sorry, looks like you may be right after all.  I'm not sure why it links to libbz2 and also contains this bzlib.c.  At any rate, yes, clamav should be updated to correct this as it does not look as though the system libbz2 changes will have any impact there.

Sorry for adding to the confusion.

Comment 16 errata-xmlrpc 2010-11-10 18:59:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0858 https://rhn.redhat.com/errata/RHSA-2010-0858.html

Comment 17 J.Kratochvil 2010-11-11 11:19:10 UTC
I think it's time to move the patch from Fedora 12 updates-testing repository to Fedora 12 updates repository. Updates-testing repository is not enabled by default, so I suppose that a lot of Fedora 12 users are still affected by this security problem.


Note You need to log in before you can comment on or make changes to this bug.