Some bugs (and patches to fix them) have been announced for bzip2: https://www.openwall.com/lists/oss-security/2019/06/03/3 https://www.openwall.com/lists/oss-security/2019/06/04/3
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to the base system maintainers, CC'ing the registered maintainer.
CC: (none) => marja11, tmbAssignee: bugsquad => basesystem
bzip2 1.0.7 has been released on June 27, and CVEs have been allocated for two of the fixes: https://sourceware.org/ml/bzip2-devel/2019-q2/msg00022.html
Status comment: (none) => Fixed upstream in 1.0.7Summary: Crasher bugs in bzip2 => bzip2 new security issues CVE-2016-3189 and CVE-2019-12900
Note that there are regressions and issues with the fixes and further discussion about it. It sounds like a 1.0.8 release may be forthcoming soon.
bzip2 1.0.8 has been released on July 13 and should be a safe update: https://sourceware.org/ml/bzip2-devel/2019-q3/msg00031.html
David updated Cauldron to 1.0.8.
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOCC: (none) => geiger.david68210Version: Cauldron => 7
We may have addressed CVE-2016-3189 in Bug 18742. Regardless, Ubuntu has issued an advisory for this on June 26: https://usn.ubuntu.com/4038-1/
Severity: normal => major
openSUSE has issued an advisory for this on July 21: https://lists.opensuse.org/opensuse-updates/2019-07/msg00106.html
Suggested advisory: ======================== The updated packages fix a security vulnerability: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. (CVE-2019-12900) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900 https://www.openwall.com/lists/oss-security/2019/06/03/3 https://www.openwall.com/lists/oss-security/2019/06/04/3 https://sourceware.org/ml/bzip2-devel/2019-q2/msg00022.html https://sourceware.org/ml/bzip2-devel/2019-q3/msg00031.html https://usn.ubuntu.com/4038-1/ https://lists.opensuse.org/opensuse-updates/2019-07/msg00106.html ======================== Updated packages in core/updates_testing: ======================== bzip2-1.0.8-1.mga7 lib(64)bz2_1-1.0.8-1.mga7 lib(64)bz2-devel-1.0.8-1.mga7 from SRPMS: bzip2-1.0.8-1.mga7.src.rpm
Whiteboard: MGA6TOO => (none)CC: (none) => nicolas.salgueroSource RPM: bzip2-1.0.6-12.mga7.src.rpm => bzip2-1.0.6-13.mga7.src.rpmCVE: (none) => CVE-2019-12900Assignee: basesystem => qa-bugsStatus: NEW => ASSIGNEDSummary: bzip2 new security issues CVE-2016-3189 and CVE-2019-12900 => bzip2 new security issue CVE-2019-12900
MGA7-64 Plasma on Lenovo B50 No installation issues. Copied some pictures to separate folder:1 jpegg, 1 tif and 4 ORF files (Olympus RAW format), together 102Mb Then $ bzip2 * produces $ ls ikke2012.jpg.bz2 P7212389.ORF.bz2 P7212390.ORF.bz2 P7212391.ORF.bz2 P7212392.ORF.bz2 p.tif.bz2 size together 71Mb then $ bunzip2 * $ ls ikke2012.jpg P7212389.ORF P7212390.ORF P7212391.ORF P7212392.ORF p.tif pictures display OK and again 102Mb in total Update OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 8.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0338.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED