Package: bzip2 Version: 1.0.5-5 Severity: serious Tags: security patch pending
On Mon, Sep 20, 2010 at 11:05:59AM +0000, Stefan Fritsch wrote:
>Mikolaj Izdebski has discovered an integer overflow flaw in the
>BZ2_decompress function in bzip2/libbz2. An attacker could use a
>crafted bz2 file to cause a denial of service (application crash)
>or potentially to execute arbitrary code. (CVE-2010-0405)
On Mon, Sep 13, 2010 at 06:18:30AM +0200, Stefan Fritsch wrote:
>diff -U 5 bzip2-1.0.5-orig/decompress.c bzip2-1.0.5-mod/decompress.c
>--- bzip2-1.0.5-orig/decompress.c 2007-12-09 13:31:31.000000000 +0100
>+++ bzip2-1.0.5-mod/decompress.c 2010-06-23 23:05:49.000000000 +0200
>@@ -379,10 +379,17 @@
> if (nextSym == BZ_RUNA || nextSym == BZ_RUNB) {
>
> es = -1;
> N = 1;
> do {
>+ /* Check that N doesn't get too big, so that es doesn't
>+ go negative. The maximum value that can be
>+ RUNA/RUNB encoded is equal to the block size (post
>+ the initial RLE), viz, 900k, so bounding N at 2
>+ million should guard against overflow without
>+ rejecting any legitimate inputs. */
>+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
> if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
> if (nextSym == BZ_RUNB) es = es + (1+1) * N;
> N = N * 2;
> GET_MTF_VAL(BZ_X_MTF_3, BZ_X_MTF_4, nextSym);
> }
signature.asc
Description: Digital signature
