Hi Mark, On Sun, Jun 30, 2019 at 06:01:35PM +0200, Mark Wielaard wrote: > See the upstream discussion on the bzip2-devel mailinglist: > https://sourceware.org/ml/bzip2-devel/2019-q2/msg00024.html > > In particular this workaround patch for some (buggy lbzip2 compressed) > files that bzip2 1.0.6 could decompress, but 1.0.7 (with the CVE-2019- > 12900 hardening patch) cannot: > https://sourceware.org/ml/bzip2-devel/2019-q2/msg00031.html
yes saw the upstream discussion. > Testing and feedback appreciated. it is not very helpfull I think, because I do not have a good testing corpus. What I did is to apply the patch on top of our current 1.0.6-9.1 (which has the issue after fixing CVE-2019-12900), and tested it with the problematic file from https://developer.nvidia.com/embedded/dlc/l4t-jetson-xavier-driver-package-31-1-0 . But apart from that I do not have at them moment better feedback :( Regards, Salvatore
