Re: [SECURITY] [DLA 1833-1] bzip2 security update
On Mon, Jun 24, 2019 at 10:24:51PM +0200, Thorsten Alteholz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> Package : bzip2
> Version : 1.0.6-7+deb8u1
> CVE ID : CVE-2016-3189 CVE-2019-12900
> Two issues in bzip2, a high-quality block-sorting file compressor, have been
> fixed. One, CVE-2019-12900, is a out-of-bounds write when using a crafted
> compressed file. The other, CVE-2016-3189, is a potential user-after-free.
The update for bzip2 is affected as well by a regression due to the
CVE-2019-12900 fix, cf. https://bugs.debian.org/931278 .
There is now an upstream fix for this:
Hope this helps,