Bug 18742

Summary: bzip2 new security issue CVE-2016-3189
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/707496/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: bzip2-1.0.6-9.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-06-20 17:41:32 CEST 
A security issue in bzip2 has been announced today (June 20):
http://openwall.com/lists/oss-security/2016/06/20/1

There is a proposed patch to fix it in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1319648
David Walser 2016-06-20 17:41:38 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-22 01:27:44 CEST 
According to this:
http://openwall.com/lists/oss-security/2016/07/21/1

CVE-2016-5399 is a bug in bzip2 that affects php.
Comment 2 Nicolas Lécureuil 2016-11-24 09:55:15 CET 
uploaded in mga5 updates_testing

SRPMS: bzip2-1.0.6-7.1.mga5

Whiteboard: MGA5TOO => (none)
CC: (none) => mageia
Version: Cauldron => 5
Assignee: tmb => qa-bugs

Comment 3 David Walser 2016-11-24 13:46:20 CET 
(In reply to David Walser from comment #1)
> According to this:
> http://openwall.com/lists/oss-security/2016/07/21/1
> 
> CVE-2016-5399 is a bug in bzip2 that affects php.

One RedHat guy disputes whether it's a bug in bzip2, but this has been mitigated in php already.
Comment 4 David Walser 2016-11-24 13:48:41 CET 
Advisory:
========================

Updated bzip2 packages fix security vulnerability:

A use-after-free flaw was found in bzip2recover, leading to a null pointer
dereference, or a write to a closed file descriptor. An attacker could use this
flaw by sending a specially crafted bzip2 file to recover and force the program
to crash (CVE-2016-3189).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189
http://openwall.com/lists/oss-security/2016/06/20/1
https://bugzilla.redhat.com/show_bug.cgi?id=1319648
========================

Updated packages in core/updates_testing:
========================
bzip2-1.0.6-7.1.mga5
libbzip2_1-1.0.6-7.1.mga5
libbzip2-devel-1.0.6-7.1.mga5

from bzip2-1.0.6-7.1.mga5.src.rpm
Comment 5 Herman Viaene 2016-11-25 16:11:00 CET 
MGA5-32 on AcerD620 Xfce
No installation issues.
Used bzip2 and bunzip2 to compress and extract bunch of image files: OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 6 Lewis Smith 2016-11-26 09:13:29 CET 
Testing M5_84

Updated bzip2 to:
 bzip2-1.0.6-7.1.mga5
 lib64bzip2_1-1.0.6-7.1.mga5
 lib64bzip2-devel-1.0.6-7.1.mga5
In the following test, 'docs' is a large mixed directory.
 $ find docs | cpio -o -F docsdir1.cpio      [make it into a large single file]
 $ ls -l docsdir*
 -rw-r--r-- 1 lewis lewis 278925824 Tach 26 08:40 docsdir1.cpio
 $ cp docsdir1.cpio docsdir2.cpio            [copy it for reference]
 $ bzip2 docsdir1.cpio                      [compress it]
 $ ls -l docsdir1*
 -rw-r--r-- 1 lewis lewis 246839393 Tach 26 08:40 docsdir1.cpio.bz2
 $ bunzip2 docsdir1.cpio.bz2                [de-compress it]
 $ ls -l docsdir*
 -rw-r--r-- 1 lewis lewis 278925824 Tach 26 08:40 docsdir1.cpio
 -rw-r--r-- 1 lewis lewis 278925824 Tach 26 08:41 docsdir2.cpio
 $ cmp docsdir1.cpio docsdir2.cpio           [verify it against original]
 $
OK. Validating. Advisory to follow.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Lewis Smith 2016-11-26 09:22:05 CET 
Advisory from Comment 4 uploaded.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 8 Mageia Robot 2016-11-26 11:42:38 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0400.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2016-11-28 20:51:02 CET

URL: (none) => https://lwn.net/Vulnerabilities/707496/