Ubuntu
bzip2 package

new upstream release 1.05 with security fix

Bug #203997 reported by André Klitzing
254
Affects Status Importance Assigned to Milestone
bzip2 (Arch Linux)
Fix Released
Undecided
Unassigned
bzip2 (Gentoo Linux)
Fix Released
Medium
bzip2 (Mandriva)
Unknown
Unknown
bzip2 (Ubuntu)
Fix Released
Low
Kees Cook

Bug Description

Binary package hint: bzip2

The current version is 1.0.5, released 17 March 2008.

Version 1.0.5 removes a potential security vulnerability (CERT-FI 20469 as it applies to bzip2) in versions 1.0.4 and earlier, so all users are recommended to upgrade immediately.

https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html

CHANGES:
1.0.5 (10 Dec 07)
~~~~~~~~~~~~~~~~~
Security fix only. Fixes CERT-FI 20469 as it applies to bzip2.

CVE References

Revision history for this message
In , hanno (hanno-gentoo-bugs) wrote :

CERT-FI did a fuzzing tool test and discovered issues in various archiving tools.

bzip2 is vulnerable, fixed in 1.0.5. This code is probably bundled in some other packages.

Revision history for this message
In , vapier (vapier-gentoo-bugs) wrote :

ive added 1.0.5 to the tree ... now if only they didnt screw up the packaging of it ...

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

Arches, please test and mark stable:
=app-arch/bzip2-1.0.5
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 release s390 sh sparc x86"

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

Created attachment 146488
bzip2-CERT-FI-20469.patch

Just for reference, the patch.

Revision history for this message
In , fmccor (fmccor-gentoo-bugs) wrote :

Sparc stable. All tests pass, it works on my files, and portage can use it.

Revision history for this message
In , jer (jer-gentoo-bugs) wrote :

(In reply to comment #4)
> Sparc stable. All tests pass, it works on my files, and portage can use it.

That's odd. Ferris forgot to mark the ebuild. So er, stable for HPPA and SPARC then. :)

Revision history for this message
In , dertobi123 (dertobi123-gentoo-bugs) wrote :

ppc stable

Revision history for this message
In , armin76 (armin76-gentoo-bugs) wrote :

alpha/ia64/x86 stable

Revision history for this message
In , beandog (beandog-gentoo-bugs) wrote :

amd64 stable

Revision history for this message
In , rhill (rhill-gentoo-bugs) wrote :

there's no need to cc mips on security stabilization bugs. we're ~arch only.

Revision history for this message
In , corsair (corsair-gentoo-bugs) wrote :

ppc64 stable

Revision history for this message
Kees Cook (kees) wrote :

CVE-2008-1372

Changed in bzip2:
assignee: nobody → keescook
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
In , pva (pva-gentoo-bugs) wrote :

Fixed in release snapshot.

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

request filed

Revision history for this message
Kees Cook (kees) wrote :

This has been released as: http://www.ubuntu.com/usn/usn-590-1

Changed in bzip2:
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in bzip2:
status: Unknown → Confirmed
Revision history for this message
In , py (py-gentoo-bugs) wrote :

GLSA 200804-02

Bug Watch Updater (bug-watch-updater)
Changed in bzip2:
status: Confirmed → Fix Released
André Klitzing (misery)
Changed in bzip2:
status: New → In Progress
André Klitzing (misery)
Changed in bzip2:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in bzip2 (Gentoo Linux):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.