Your message dated Wed, 29 Sep 2010 18:19:28 +0200 with message-id <20100929161928.gb13...@inutil.org> and subject line Re: bzip2 1.0.6 still needed has caused the Debian Bug report #597540, regarding [SECURITY] [DSA-2112-1] CVE-2010-0405 integer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 597540: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597540 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: bzip2 Version: 1.0.5-5 Severity: serious Tags: security patch pending On Mon, Sep 20, 2010 at 11:05:59AM +0000, Stefan Fritsch wrote: >Mikolaj Izdebski has discovered an integer overflow flaw in the >BZ2_decompress function in bzip2/libbz2. An attacker could use a >crafted bz2 file to cause a denial of service (application crash) >or potentially to execute arbitrary code. (CVE-2010-0405) On Mon, Sep 13, 2010 at 06:18:30AM +0200, Stefan Fritsch wrote: >diff -U 5 bzip2-1.0.5-orig/decompress.c bzip2-1.0.5-mod/decompress.c >--- bzip2-1.0.5-orig/decompress.c 2007-12-09 13:31:31.000000000 +0100 >+++ bzip2-1.0.5-mod/decompress.c 2010-06-23 23:05:49.000000000 +0200 >@@ -379,10 +379,17 @@ > if (nextSym == BZ_RUNA || nextSym == BZ_RUNB) { > > es = -1; > N = 1; > do { >+ /* Check that N doesn't get too big, so that es doesn't >+ go negative. The maximum value that can be >+ RUNA/RUNB encoded is equal to the block size (post >+ the initial RLE), viz, 900k, so bounding N at 2 >+ million should guard against overflow without >+ rejecting any legitimate inputs. */ >+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); > if (nextSym == BZ_RUNA) es = es + (0+1) * N; else > if (nextSym == BZ_RUNB) es = es + (1+1) * N; > N = N * 2; > GET_MTF_VAL(BZ_X_MTF_3, BZ_X_MTF_4, nextSym); > }
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Version: 1.0.5-6 On Tue, Sep 28, 2010 at 03:21:05PM -0500, Dirk Eddelbuettel wrote: > > reopen 597540 > thanks > > I just noticed that the current (dev) release of R checks for libbz2 >= 1.0.6 > and started to look around ... and noticed that Joss commented on > accidentally closing the RC bug but didn't actually reopen it. bzip2 has been fixed in 1.0.5-6 with a backported fix. This is rather a bug in the R build scripts, since it's standard behaviour to fix security issues with backports. It should not rely on version numbers. Cheers, Moritz
--- End Message ---
