Bug 627882 - (CVE-2010-0405) CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress
CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=vendor-sec,re...
: Security
Depends On: 632170 632171 632172 632173 632174 632268 632269 636057 833882
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-27 05:39 EDT by Tomas Hoger
Modified: 2016-03-04 07:51 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-11 03:19:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed patch (1.05 KB, patch)
2010-08-27 05:40 EDT, Tomas Hoger
no flags Details | Diff
bzip2 1.0.5 -> 1.0.6 diff (2.21 KB, patch)
2010-09-20 05:23 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2010-08-27 05:39:39 EDT
A bzip2 security issue was reported to Debian security team:

  Mikołaj Izdebski has discovered an integer overflow flaw in the
  BZ2_decompress function in bzip2/libbz2. An attacker could use a
  crafted bz2 file to cause a denial of service (application crash) or
  potentially to execute arbitrary code. (CVE-2010-0405)
Comment 1 Tomas Hoger 2010-08-27 05:40:49 EDT
Created attachment 441451 [details]
Proposed patch
Comment 7 Tomas Hoger 2010-09-20 05:23:42 EDT
Created attachment 448401 [details]
bzip2 1.0.5 -> 1.0.6 diff

Fix added in bzip2 1.0.6 additional extra sanity checks compared to previously proposed patch.
Comment 8 Tomas Hoger 2010-09-20 05:24:57 EDT
Public now via bzip2 1.0.6 release.
Comment 9 Tomas Hoger 2010-09-20 10:41:56 EDT
CCing clamav maintainers, clamav contains embedded copy of bzip code in libclamav/nsis/bzlib.c .
Comment 10 errata-xmlrpc 2010-09-20 21:08:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0703 https://rhn.redhat.com/errata/RHSA-2010-0703.html
Comment 12 Tomas Hoger 2010-09-21 10:44:48 EDT
(In reply to comment #9)
> CCing clamav maintainers, clamav contains embedded copy of bzip code in
> libclamav/nsis/bzlib.c .

This is now fixed in clamav upstream version 0.96.3.  Upstream commit:

http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=fcd8091474d12592d509adcfd0bdd0b0dc8835f5#patch4
Comment 13 Vincent Danen 2010-09-21 12:14:39 EDT
Clamav shouldn't need to be updated because of this.  libclamav uses libbz2, and there are buildrequires on bzip2-devel so it should not be using it's internal bzip2 copy at all.
Comment 14 Tomas Hoger 2010-09-21 14:52:41 EDT
I admit I may be wrong here, or confused by a report mentioning this embedded bzip code copy in clamav.  Looking at the build.log, libclamav/nsis/bzlib.c is compiled when building Fedora clamav packages and does not contain any #ifdefs to wrap system libbz2.  libclamav links system libbz2 and does use it to decompress bz2 files.  nsis/bzlib.c only seems to be used by nsis (Nullsoft Scriptable Install System) unpacker.  Corrections welcome.
Comment 15 Vincent Danen 2010-09-21 16:10:21 EDT
Sorry, looks like you may be right after all.  I'm not sure why it links to libbz2 and also contains this bzlib.c.  At any rate, yes, clamav should be updated to correct this as it does not look as though the system libbz2 changes will have any impact there.

Sorry for adding to the confusion.
Comment 16 errata-xmlrpc 2010-11-10 13:59:26 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0858 https://rhn.redhat.com/errata/RHSA-2010-0858.html
Comment 17 J.Kratochvil 2010-11-11 06:19:10 EST
I think it's time to move the patch from Fedora 12 updates-testing repository to Fedora 12 updates repository. Updates-testing repository is not enabled by default, so I suppose that a lot of Fedora 12 users are still affected by this security problem.

Note You need to log in before you can comment on or make changes to this bug.