FS#20906 : Possible integer overflow vulnerability in bzip2

FS#20906 - Possible integer overflow vulnerability in bzip2 < 1.0.6

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 21 September 2010, 16:18 GMT
Last edited by Pierre Schmitz (Pierre) - Tuesday, 21 September 2010, 16:39 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
The bzip2 package of Archlinux is out of date. As the new version is a security date update (fixing an integer overflow vulnerability, see CVE-2010-0405), I'm filing this as a critical bug instead of just flagging the bzip2 package as out of date. Please consider that there might also be other packages in the repo which could have linked statically the vulnerable version op libzip2.
http://www.bzip.org/index.html
http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/

Additional info:
Packages known to be affected: bzip2 < 1.0.6
Other packages may be affected too, see above.

Steps to reproduce:
bzip2 --version

This task depends upon

Closed by Pierre Schmitz (Pierre)
Tuesday, 21 September 2010, 16:39 GMT
Reason for closing: Not a bug

Comment by Pascal Ernster (hardfalcon) - Tuesday, 21 September 2010, 16:23 GMT

Oh, seems bzip2 was updated in [testing] just while I filed this bug. Can this be closed, or should it stay open until the package in [core] is also updated?

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#20906 - Possible integer overflow vulnerability in bzip2 < 1.0.6

Details

Loading...