Bug#853760: unblock: bzip2/1.0.6-8.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#853760: unblock: bzip2/1.0.6-8.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 31 Jan 2017 17:42:06 +0100
Message-id: <[🔎] 148588092634.9436.9086806690925968982.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 853760@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package bzip2

Ben Hutchings fixed #827744 (CVE-2016-3189) for bzip2 via a NMU to
unstable. Could you please unblock bzip2 to have the fix included in
stretch.

Changelog:

>bzip2 (1.0.6-8.1) unstable; urgency=medium
>
>  * Non-maintainer upload.
>  * bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
>
> -- Ben Hutchings <ben@decadent.org.uk>  Sun, 29 Jan 2017 18:30:31 +0000

unblock bzip2/1.0.6-8.1

Attached is the debdiff against the version currently in testing.

Regards,
Salvatore

diff -Nru bzip2-1.0.6/debian/changelog bzip2-1.0.6/debian/changelog
--- bzip2-1.0.6/debian/changelog	2015-05-19 21:37:53.000000000 +0200
+++ bzip2-1.0.6/debian/changelog	2017-01-29 19:30:31.000000000 +0100
@@ -1,3 +1,10 @@
+bzip2 (1.0.6-8.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 29 Jan 2017 18:30:31 +0000
+
 bzip2 (1.0.6-8) unstable; urgency=medium
 
   * Remove Jorge Ernesto Guevara Cuenca from Uploaders, as agreed with him.
diff -Nru bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch
--- bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch	1970-01-01 01:00:00.000000000 +0100
+++ bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch	2017-01-29 19:30:31.000000000 +0100
@@ -0,0 +1,17 @@
+Author: Jakub Martisko <jamartis@redhat.com>
+Date: Wed, 30 Mar 2016 10:22:27 +0200
+Description: bzip2recover: Fix potential use-after-free
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-3189
+Bug-Debian: https://bugs.debian.org/827744
+
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
diff -Nru bzip2-1.0.6/debian/patches/series bzip2-1.0.6/debian/patches/series
--- bzip2-1.0.6/debian/patches/series	2014-07-26 17:46:24.000000000 +0200
+++ bzip2-1.0.6/debian/patches/series	2017-01-29 19:30:31.000000000 +0100
@@ -1,3 +1,4 @@
 10-bzip2.1.patch
 20-legacy.patch
 30-bzip2-harden.patch
+bzip2recover-CVE-2016-3189.patch

Reply to:

Follow-Ups:
- Bug#853760: marked as done (unblock: bzip2/1.0.6-8.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Draft for taging 32 RC bugs with can-defer, will-remove or is-blocker
Next by Date: Re: [Pkg-nagios-devel] Bug#851585: icinga2-ido-mysql: fails to upgrade from 'jessie': mysql said: ERROR 1067 (42000) at line 10: Invalid default value for 'status_update_time'
Previous by thread: Bug#853741: unblock: lilypond/2.18.2-7
Next by thread: Bug#853760: marked as done (unblock: bzip2/1.0.6-8.1)
Index(es):
- Date
- Thread