Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 18 Mar 2008 10:46:00 -0400
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com, Robert Buchholz <rbu@...too.org>
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: bzip2 CERT-FI: 20469

> 
> Hey,
> 
> CERT-FI: 20469 [1] was released yesterday, and with it a new bzip2=20
> release, quoting their CHANGES:
> 
> 1.0.5 (10 Dec 07)
> ~~~~~~~~~~~~~~~~~
> Security fix only.  Fixes CERT-FI 20469 as it applies to bzip2.
> 
> 
> Reading the patch [2], it's missing a boundary check that can lead to an
> over-read on the tt/ll heap-buffer. I'd call this a DoS, did anyone
> else review?
> 

I'm running version 1.0.4 through the bzip2 files now (it takes a long time
to run, there are a lot of files).  If I find the reproducer, I'll let you
know.

I saw no crashes when I ran the CERT-FI suite over bzip2 versions 1.0.1,
1.0.2, and 1.0.3.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.