Date: Tue, 18 Mar 2008 15:34:03 +0100 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request: bzip2 CERT-FI: 20469 Hey, CERT-FI: 20469  was released yesterday, and with it a new bzip2 release, quoting their CHANGES: 1.0.5 (10 Dec 07) ~~~~~~~~~~~~~~~~~ Security fix only. Fixes CERT-FI 20469 as it applies to bzip2. Reading the patch , it's missing a boundary check that can lead to an over-read on the tt/ll heap-buffer. I'd call this a DoS, did anyone else review? Thanks, Robert  https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html  https://bugs.gentoo.org/attachment.cgi?id=146488&action=view Download attachment "signature.asc " of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.