FS#20906 - Possible integer overflow vulnerability in bzip2 < 1.0.6
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 21 September 2010, 16:18 GMT
Last edited by Pierre Schmitz (Pierre) - Tuesday, 21 September 2010, 16:39 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 21 September 2010, 16:18 GMT
Last edited by Pierre Schmitz (Pierre) - Tuesday, 21 September 2010, 16:39 GMT
|
Details
Description:
The bzip2 package of Archlinux is out of date. As the new version is a security date update (fixing an integer overflow vulnerability, see CVE-2010-0405), I'm filing this as a critical bug instead of just flagging the bzip2 package as out of date. Please consider that there might also be other packages in the repo which could have linked statically the vulnerable version op libzip2. http://www.bzip.org/index.html http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/ Additional info: Packages known to be affected: bzip2 < 1.0.6 Other packages may be affected too, see above. Steps to reproduce: bzip2 --version |
This task depends upon
Closed by Pierre Schmitz (Pierre)
Tuesday, 21 September 2010, 16:39 GMT
Reason for closing: Not a bug
Tuesday, 21 September 2010, 16:39 GMT
Reason for closing: Not a bug
Comment by
Pascal Ernster (hardfalcon) -
Tuesday, 21 September 2010, 16:23 GMT
Oh, seems bzip2 was updated in [testing] just while I filed this
bug. Can this be closed, or should it stay open until the package
in [core] is also updated?