oss-sec mailing list archives
CVE request: bzip2 CERT-FI: 20469
From: Robert Buchholz <rbu () gentoo org>
Date: Tue, 18 Mar 2008 15:34:03 +0100
Hey, CERT-FI: 20469 [1] was released yesterday, and with it a new bzip2 release, quoting their CHANGES: 1.0.5 (10 Dec 07) ~~~~~~~~~~~~~~~~~ Security fix only. Fixes CERT-FI 20469 as it applies to bzip2. Reading the patch [2], it's missing a boundary check that can lead to an over-read on the tt/ll heap-buffer. I'd call this a DoS, did anyone else review? Thanks, Robert [1] https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html [2] https://bugs.gentoo.org/attachment.cgi?id=146488&action=view
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE request: bzip2 CERT-FI: 20469 Robert Buchholz (Mar 18)
- Re: CVE request: bzip2 CERT-FI: 20469 Josh Bressers (Mar 18)
- Re: CVE request: bzip2 CERT-FI: 20469 Steven M. Christey (Mar 18)
- Re: CVE request: bzip2 CERT-FI: 20469 Josh Bressers (Mar 19)
- Re: CVE request: bzip2 CERT-FI: 20469 Josh Bressers (Mar 18)