Re: [SECURITY] [DLA 1833-1] bzip2 security update
Hi Thorsten,
On Mon, Jun 24, 2019 at 10:24:51PM +0200, Thorsten Alteholz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Package : bzip2
> Version : 1.0.6-7+deb8u1
> CVE ID : CVE-2016-3189 CVE-2019-12900
>
>
> Two issues in bzip2, a high-quality block-sorting file compressor, have been
> fixed. One, CVE-2019-12900, is a out-of-bounds write when using a crafted
> compressed file. The other, CVE-2016-3189, is a potential user-after-free.
The update for bzip2 is affected as well by a regression due to the
CVE-2019-12900 fix, cf. https://bugs.debian.org/931278 .
There is now an upstream fix for this:
https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13
Hope this helps,
Regards,
Salvatore
Reply to: