Thanks, I've committed a tweaked version.
On 2019/06/24 16:28, Henry Jensen wrote:
> Greetings,
>
> attached diff fixes CVE-2019-12900 (BZ2_decompress in decompress.c in
> bzip2 through 1.0.6 has an out-of-bounds write when there are many
> selectors.) The vulnerability has a CVSS v3.0 score of 9.8 "CRITICAL".
>
> It is essentially the patch from
> https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
>
> Comments?
>
> Kind Regards,
>
> Henry
> diff -urN archivers/bzip2/Makefile mystuff/archivers/bzip2/Makefile
> --- archivers/bzip2/Makefile Fri Aug 24 21:06:12 2018
> +++ mystuff/archivers/bzip2/Makefile Mon Jun 24 15:37:39 2019
> @@ -3,7 +3,7 @@
> COMMENT= block-sorting file compressor, unencumbered
>
> DISTNAME= bzip2-1.0.6
> -REVISION= 9
> +REVISION= 10
>
> CATEGORIES= archivers
>
> diff -urN archivers/bzip2/patches/patch-decompress_c
> mystuff/archivers/bzip2/patches/patch-decompress_c
> --- archivers/bzip2/patches/patch-decompress_c Thu Jan 1 01:00:00 1970
> +++ mystuff/archivers/bzip2/patches/patch-decompress_c Mon Jun 24
> 15:50:00 2019
> @@ -0,0 +1,12 @@
> +Index: decompress.c
> +--- decompress.c.orig
> ++++ decompress.c
> +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> RETURN(BZ_DATA_ERROR);
> + for (i = 0; i < nSelectors; i++) {
> + j = 0;
> + while (True) {
