Re: [SECURITY] [DLA 1833-1] bzip2 security update

To: debian-lts@lists.debian.org
Cc: Thorsten Alteholz <debian@alteholz.de>
Subject: Re: [SECURITY] [DLA 1833-1] bzip2 security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 Jul 2019 20:53:53 +0200
Message-id: <[🔎] 20190710185353.GA5485@eldamar.local>
Mail-followup-to: debian-lts@lists.debian.org, Thorsten Alteholz <debian@alteholz.de>
In-reply-to: <alpine.DEB.2.20.1906242223280.4663@jupiter.server.alteholz.net>
References: <alpine.DEB.2.20.1906242223280.4663@jupiter.server.alteholz.net>

Hi Thorsten,

On Mon, Jun 24, 2019 at 10:24:51PM +0200, Thorsten Alteholz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Package        : bzip2
> Version        : 1.0.6-7+deb8u1
> CVE ID         : CVE-2016-3189 CVE-2019-12900
> 
> 
> Two issues in bzip2, a high-quality block-sorting file compressor, have been
> fixed. One, CVE-2019-12900, is a out-of-bounds write when using a crafted
> compressed file. The other, CVE-2016-3189, is a potential user-after-free.

The update for bzip2 is affected as well by a regression due to the
CVE-2019-12900 fix, cf. https://bugs.debian.org/931278 .

There is now an upstream fix for this:

https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13

Hope this helps,

Regards,
Salvatore

Reply to:

Prev by Date: June (E)LTS Report
Next by Date: Re: On (semi-)automated testing and improved workflow of LTS uploads
Previous by thread: June (E)LTS Report
Next by thread: pound / CVE-2016-10711
Index(es):
- Date
- Thread