Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200804-02 ] bzip2: Denial of Service
Date: Wed, 02 Apr 2008 21:29:20
Message-Id: 47F3F7C8.4030506@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200804-02
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: bzip2: Denial of Service
12 Date: April 02, 2008
13 Bugs: #213820
14 ID: 200804-02
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 A buffer overread vulnerability has been discovered in Bzip2.
22
23 Background
24 ==========
25
26 bzip2 is a free and open source lossless data compression program.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 app-arch/bzip2 < 1.0.5 >= 1.0.5
35
36 Description
37 ===========
38
39 The Oulu University discovered that bzip2 does not properly check
40 offsets provided by the bzip2 file, leading to a buffer overread.
41
42 Impact
43 ======
44
45 Remote attackers can entice a user or automated system to open a
46 specially crafted file that triggers a buffer overread, causing a
47 Denial of Service. libbz2 and programs linking against it are also
48 affected.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All bzip2 users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=app-arch/bzip2-1.0.5"
62
63 References
64 ==========
65
66 [ 1 ] CVE-2008-1372
67 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372
68
69 Availability
70 ============
71
72 This GLSA and any updates to it are available for viewing at
73 the Gentoo Security Website:
74
75 http://security.gentoo.org/glsa/glsa-200804-02.xml
76
77 Concerns?
78 =========
79
80 Security is a primary focus of Gentoo Linux and ensuring the
81 confidentiality and security of our users machines is of utmost
82 importance to us. Any security concerns should be addressed to
83 security@g.o or alternatively, you may file a bug at
84 http://bugs.gentoo.org.
85
86 License
87 =======
88
89 Copyright 2008 Gentoo Foundation, Inc; referenced text
90 belongs to its owner(s).
91
92 The contents of this document are licensed under the
93 Creative Commons - Attribution / Share Alike license.
94
95 http://creativecommons.org/licenses/by-sa/2.5
96 -----BEGIN PGP SIGNATURE-----
97 Version: GnuPG v2.0.7 (GNU/Linux)
98 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
99
100 iD8DBQFH8/fIuhJ+ozIKI5gRAjfcAJ9wLqBQ+PQUFrcINyuefjpEXH9YggCgg5Ij
101 434KWguF4ipNmPXLhqN3rxs=
102 =wki3
103 -----END PGP SIGNATURE-----
104 --
105 gentoo-announce@l.g.o mailing list