Your message dated Sat, 28 May 2005 01:02:26 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#310803: fixed in bzip2 1.0.2-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 May 2005 05:59:53 +0000
>From [EMAIL PROTECTED] Wed May 25 22:59:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from sdcarl02.strategicdata.com.au (sd01.mel.strategicdata.com.au)
[203.214.67.82]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DbBPN-000219-00; Wed, 25 May 2005 22:59:53 -0700
Received: from sd01 (localhost [127.0.0.1])
by mail-int.strategicdata.com.au (Postfix) with ESMTP id B873CC00150D
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 15:59:50 +1000 (EST)
Received:
from sd01.mel.strategicdata.com.au (localhost [])
by localhost ([127.0.0.1]);
Thu, 26 May 2005 05:59:50 +0000
Received: from carthanach.mel.strategicdata.com.au
(carthanach.mel.strategicdata.com.au [192.168.1.64])
by sd01.mel.strategicdata.com.au (Postfix) with ESMTP id 95B6CC00150D
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 15:59:50 +1000 (EST)
Received: by carthanach.mel.strategicdata.com.au (Postfix, from userid 1188)
id 28A6C390001; Thu, 26 May 2005 15:59:50 +1000 (EST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Geoff Crompton <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: bzip2: CAN-2005-1260 decompression bomb vulnerability
X-Mailer: reportbug 3.8
Date: Thu, 26 May 2005 15:59:50 +1000
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_20,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: bzip2
Version: 1.0.2-6
Severity: critical
Justification: breaks the whole system
See http://www.securityfocus.com/bid/13657 for more info. Quoting from
MDKSA-2005:091
>A vulnerability was found where specially crafted bzip2 archives would
> cause an infinite loop in the decompressor, resulting in an
> indefinitively large output file (also known as a "decompression
> bomb"). This could be exploited to cause a Denial of Service attack
> on the host computer due to disk space exhaustion (CAN-2005-1260).
Ubuntu have released advisory USN-127-1. I had a look through the patch
that this cited, but I couldn't tell which parts of it were related to
this, which were related to CAN-2005-0953, and which were other mods.
I pulled this patch from
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.1.diff.gz
I've also not been able to find a diff between 1.0.2 and 1.0.3 from
upsteam.
I've marked this RC as it can hose a system, but if others think the
likely hood of exploit is fairly small, I've no problems with it being
reclassified.
--
Geoff Crompton
---------------------------------------
Received: (at 310803-close) by bugs.debian.org; 28 May 2005 05:09:01 +0000
>From [EMAIL PROTECTED] Fri May 27 22:09:01 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DbtZF-0007in-00; Fri, 27 May 2005 22:09:01 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DbtSs-0007Zy-00; Sat, 28 May 2005 01:02:26 -0400
From: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#310803: fixed in bzip2 1.0.2-7
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 28 May 2005 01:02:26 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: bzip2
Source-Version: 1.0.2-7
We believe that the bug you reported is fixed in the latest version of
bzip2, which is due to be installed in the Debian FTP archive:
bzip2_1.0.2-7.diff.gz
to pool/main/b/bzip2/bzip2_1.0.2-7.diff.gz
bzip2_1.0.2-7.dsc
to pool/main/b/bzip2/bzip2_1.0.2-7.dsc
bzip2_1.0.2-7_i386.deb
to pool/main/b/bzip2/bzip2_1.0.2-7_i386.deb
libbz2-1.0_1.0.2-7_i386.deb
to pool/main/b/bzip2/libbz2-1.0_1.0.2-7_i386.deb
libbz2-dev_1.0.2-7_i386.deb
to pool/main/b/bzip2/libbz2-dev_1.0.2-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <[EMAIL PROTECTED]> (supplier of updated bzip2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 28 May 2005 14:05:46 +1000
Source: bzip2
Binary: libbz2-1.0 bzip2 libbz2-dev
Architecture: source i386
Version: 1.0.2-7
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Changed-By: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Description:
bzip2 - high-quality block-sorting file compressor - utilities
libbz2-1.0 - high-quality block-sorting file compressor library - runtime
libbz2-dev - high-quality block-sorting file compressor library - development
Closes: 293581 310803
Changes:
bzip2 (1.0.2-7) unstable; urgency=high
.
* Fixed "CAN-2005-1260 decompression bomb vulnerability", closes: #310803.
Patch by Martin Pitt <[EMAIL PROTECTED]>.
* Fixed "Example provided in documentation causes data loss", closes:
#293581. Patch by Adam Borowski <[EMAIL PROTECTED]>.
Files:
6e0e0ccfea94e3f194fa24d413ebc87f 577 utils standard bzip2_1.0.2-7.dsc
444ffa10d91ca582f63a75dd8908c994 16264 utils standard bzip2_1.0.2-7.diff.gz
ff6d4aa0fc45cb62949b564ee4a4a7fb 38682 libs standard
libbz2-1.0_1.0.2-7_i386.deb
524000f103f5f03ac835bfe2991d8c05 30308 libdevel optional
libbz2-dev_1.0.2-7_i386.deb
4c5ed64e1e60d63f0acb9c5f7df05445 233356 utils optional bzip2_1.0.2-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCl/aTgY5NIXPNpFURAnWkAKDGuKmt9+4pkai5sqJr6oFyV1uACACgtTLl
n4tCRKKXaa77D9VN5z6DZDo=
=IuJj
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
