A security issue in bzip2 has been announced today (June 20): http://openwall.com/lists/oss-security/2016/06/20/1 There is a proposed patch to fix it in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1319648
Whiteboard: (none) => MGA5TOO
According to this: http://openwall.com/lists/oss-security/2016/07/21/1 CVE-2016-5399 is a bug in bzip2 that affects php.
uploaded in mga5 updates_testing SRPMS: bzip2-1.0.6-7.1.mga5
Whiteboard: MGA5TOO => (none)CC: (none) => mageiaVersion: Cauldron => 5Assignee: tmb => qa-bugs
(In reply to David Walser from comment #1) > According to this: > http://openwall.com/lists/oss-security/2016/07/21/1 > > CVE-2016-5399 is a bug in bzip2 that affects php. One RedHat guy disputes whether it's a bug in bzip2, but this has been mitigated in php already.
Advisory: ======================== Updated bzip2 packages fix security vulnerability: A use-after-free flaw was found in bzip2recover, leading to a null pointer dereference, or a write to a closed file descriptor. An attacker could use this flaw by sending a specially crafted bzip2 file to recover and force the program to crash (CVE-2016-3189). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189 http://openwall.com/lists/oss-security/2016/06/20/1 https://bugzilla.redhat.com/show_bug.cgi?id=1319648 ======================== Updated packages in core/updates_testing: ======================== bzip2-1.0.6-7.1.mga5 libbzip2_1-1.0.6-7.1.mga5 libbzip2-devel-1.0.6-7.1.mga5 from bzip2-1.0.6-7.1.mga5.src.rpm
MGA5-32 on AcerD620 Xfce No installation issues. Used bzip2 and bunzip2 to compress and extract bunch of image files: OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Testing M5_84 Updated bzip2 to: bzip2-1.0.6-7.1.mga5 lib64bzip2_1-1.0.6-7.1.mga5 lib64bzip2-devel-1.0.6-7.1.mga5 In the following test, 'docs' is a large mixed directory. $ find docs | cpio -o -F docsdir1.cpio [make it into a large single file] $ ls -l docsdir* -rw-r--r-- 1 lewis lewis 278925824 Tach 26 08:40 docsdir1.cpio $ cp docsdir1.cpio docsdir2.cpio [copy it for reference] $ bzip2 docsdir1.cpio [compress it] $ ls -l docsdir1* -rw-r--r-- 1 lewis lewis 246839393 Tach 26 08:40 docsdir1.cpio.bz2 $ bunzip2 docsdir1.cpio.bz2 [de-compress it] $ ls -l docsdir* -rw-r--r-- 1 lewis lewis 278925824 Tach 26 08:40 docsdir1.cpio -rw-r--r-- 1 lewis lewis 278925824 Tach 26 08:41 docsdir2.cpio $ cmp docsdir1.cpio docsdir2.cpio [verify it against original] $ OK. Validating. Advisory to follow.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Advisory from Comment 4 uploaded.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0400.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => https://lwn.net/Vulnerabilities/707496/