Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#65971 - [bsdiff] [security] Unpatched integer range vulnerbilities

Attached to Project: Arch Linux
Opened by Mingye Wang (arthur2e5) - Wednesday, 25 March 2020, 07:15 GMT
Last edited by Kyle Keen (keenerd) - Wednesday, 25 March 2020, 20:20 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned   Reopened
Assigned To Kyle Keen (keenerd)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


bsdiff (4.3-9) as currently packaged by Arch Linux is susceptible to a number of old vulnerbilities.

Links to vulnerbilities and patches:
* CVE-2014-9862. See for patch.
* Integer overflow detected by ChromeOS fuzzer. See for patch and for ChromeOS version.
* Unnamed memory corruption in FreeBSD. See for patch and for exploit.

Steps to reproduce:
See links.
This task depends upon

Comment by Mingye Wang (arthur2e5) - Wednesday, 25 March 2020, 07:47 GMT