Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#20906 - Possible integer overflow vulnerability in bzip2 < 1.0.6

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 21 September 2010, 16:18 GMT
Last edited by Pierre Schmitz (Pierre) - Tuesday, 21 September 2010, 16:39 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The bzip2 package of Archlinux is out of date. As the new version is a security date update (fixing an integer overflow vulnerability, see CVE-2010-0405), I'm filing this as a critical bug instead of just flagging the bzip2 package as out of date. Please consider that there might also be other packages in the repo which could have linked statically the vulnerable version op libzip2.
http://www.bzip.org/index.html
http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/


Additional info:
Packages known to be affected: bzip2 < 1.0.6
Other packages may be affected too, see above.

Steps to reproduce:
bzip2 --version
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Tuesday, 21 September 2010, 16:39 GMT
Reason for closing:  Not a bug
Comment by Pascal Ernster (hardfalcon) - Tuesday, 21 September 2010, 16:23 GMT
Oh, seems bzip2 was updated in [testing] just while I filed this bug. Can this be closed, or should it stay open until the package in [core] is also updated?

Loading...