--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package bzip2/1.0.6-9.2~deb10u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Wed, 10 Jul 2019 21:43:49 +0200
- Message-id: <156278782967.24594.16688406782915248476.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable release managers,
The update for bzip2 which went into buster is affected by a
regression, tracked as #931278, where some libzip2 compressed files
(created by a "buggy" libzip2 version), could not be uncompressed
anymore.
The issue was fixed upstream, and I did cherry-pick the fix into
unstable with the 1.0.6-9.2. As the fix difference between 1.0.6-9.1
and 1.0.6-9.2 is solely the fix, I opted to do a rebuild of the
unstable version to upload for buster, that is 1.0.6-9.2~deb10u1.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru bzip2-1.0.6/debian/changelog bzip2-1.0.6/debian/changelog
--- bzip2-1.0.6/debian/changelog 2019-06-24 22:15:37.000000000 +0200
+++ bzip2-1.0.6/debian/changelog 2019-07-10 21:17:52.000000000 +0200
@@ -1,3 +1,16 @@
+bzip2 (1.0.6-9.2~deb10u1) buster; urgency=medium
+
+ * Rebuild for buster
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 10 Jul 2019 21:17:52 +0200
+
+bzip2 (1.0.6-9.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Accept as many selectors as the file format allows (Closes: #931278)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 10 Jul 2019 06:25:07 +0200
+
bzip2 (1.0.6-9.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch
--- bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch 1970-01-01 01:00:00.000000000 +0100
+++ bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch 2019-07-10 06:23:58.000000000 +0200
@@ -0,0 +1,76 @@
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 3 Jul 2019 01:28:11 +0200
+Subject: Accept as many selectors as the file format allows.
+Origin: https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13
+Bug-Debian: https://bugs.debian.org/931278
+Bug: https://gitlab.com/federicomenaquintero/bzip2/issues/24
+
+But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS.
+
+The theoretical maximum number of selectors depends on the maximum
+blocksize (900000 bytes) and the number of symbols (50) that can be
+encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002.
+
+But the bzip2 file format allows the number of selectors to be encoded
+with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in
+14 bits). So the file format maximum is 32767 selectors.
+
+Some bzip2 encoders might actually have written out more selectors
+than the theoretical maximum because they rounded up the number of
+selectors to some convenient factor of 8.
+
+The extra 14766 selectors can never be validly used by the decompression
+algorithm. So we can read them, but then discard them.
+
+This is effectively what was done (by accident) before we added a
+check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate
+CVE-2019-12900.
+
+The extra selectors were written out after the array inside the
+EState struct. But the struct has extra space allocated after the
+selector arrays of 18060 bytes (which is larger than 14766).
+All of which will be initialized later (so the overwrite of that
+space with extra selector values would have been harmless).
+---
+ compress.c | 2 +-
+ decompress.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/compress.c
++++ b/compress.c
+@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s )
+
+ AssertH( nGroups < 8, 3002 );
+ AssertH( nSelectors < 32768 &&
+- nSelectors <= (2 + (900000 / BZ_G_SIZE)),
++ nSelectors <= BZ_MAX_SELECTORS,
+ 3003 );
+
+
+--- a/decompress.c
++++ b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s )
+ j++;
+ if (j >= nGroups) RETURN(BZ_DATA_ERROR);
+ }
+- s->selectorMtf[i] = j;
++ /* Having more than BZ_MAX_SELECTORS doesn't make much sense
++ since they will never be used, but some implementations might
++ "round up" the number of selectors, so just ignore those. */
++ if (i < BZ_MAX_SELECTORS)
++ s->selectorMtf[i] = j;
+ }
++ if (nSelectors > BZ_MAX_SELECTORS)
++ nSelectors = BZ_MAX_SELECTORS;
+
+ /*--- Undo the MTF values for the selectors. ---*/
+ {
diff -Nru bzip2-1.0.6/debian/patches/series bzip2-1.0.6/debian/patches/series
--- bzip2-1.0.6/debian/patches/series 2019-06-24 22:15:37.000000000 +0200
+++ bzip2-1.0.6/debian/patches/series 2019-07-10 06:23:28.000000000 +0200
@@ -8,3 +8,4 @@
bzdiff-tmpdir-spaces.diff
40-bzdiff-l.patch
Make-sure-nSelectors-is-not-out-of-range.patch
+Accept-as-many-selectors-as-the-file-format-allows.patch
--- End Message ---