openSUSE has issued an advisory on August 6: https://lists.opensuse.org/opensuse-updates/2016-08/msg00026.html Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated bsdiff package fixes security vulnerability: Integer signedness error in bspatch.c in bspatch in bsdiff allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted patch file (CVE-2014-9862). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862 https://lists.opensuse.org/opensuse-updates/2016-08/msg00026.html ======================== Updated packages in core/updates_testing: ======================== bsdiff-4.3-9.1.mga5 from bsdiff-4.3-9.1.mga5.src.rpm
MGA5-32 on Acer D620 Xfce No installation issues Tested at CLI by: $ cd /bin/ $ bsdiff 7z 7za ~/Documenten/bsdiff.txt which produces a 161 byte file, and $ more ~/Documenten/bsdiff.txt BSDIFF40+
CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK
Testing mga5 x64 real hardware. Copied (for safety) /usr/bin/bsdiff, and another copy to play with. Used hexedit to corrupt that play copy. $ cp /usr/bin/bsdiff . $ cp /usr/bin/bsdiff ./bsdiffcorrupt $ hexedit bsdiffcorrupt BEFORE the update: bsdiff-4.3-9.mga5 $ bsdiff ./bsdiff ./bsdiffcorrupt ./beforepatch where beforepatch is the pre-update binary patch file produced. AFTER update: bsdiff-4.3-9.1.mga5 $ bsdiff ./bsdiff ./bsdiffcorrupt ./afterpatch where afterpatch is the post-update binary patch file produced. $ cmp beforepatch afterpatch $ i.e. the two binary patch files are identical, so the update is not damaging. OK. Validating the update, Advisory will be uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0288.html
Status: NEW => RESOLVEDResolution: (none) => FIXED