Debian Bug report logs - #310803
bzip2: CAN-2005-1260 decompression bomb vulnerability

version graph

Package: bzip2; Maintainer for bzip2 is Anibal Monsalve Salazar <>; Source for bzip2 is src:bzip2.

Reported by: Geoff Crompton <>

Date: Thu, 26 May 2005 06:03:02 UTC

Severity: grave

Tags: security

Found in version 1.0.2-6

Fixed in version bzip2/1.0.2-7

Done: Anibal Monsalve Salazar <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Anibal Monsalve Salazar <>:
Bug#310803; Package bzip2. Full text and rfc822 format available.

Acknowledgement sent to Geoff Crompton <>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Geoff Crompton <>
To: Debian Bug Tracking System <>
Subject: bzip2: CAN-2005-1260 decompression bomb vulnerability
Date: Thu, 26 May 2005 15:59:50 +1000
Package: bzip2
Version: 1.0.2-6
Severity: critical
Justification: breaks the whole system

See for more info. Quoting from
>A vulnerability was found where specially crafted bzip2 archives would
> cause an infinite loop in the decompressor, resulting in an
> indefinitively large output file (also known as a "decompression
> bomb").  This could be exploited to cause a Denial of Service attack
> on the host computer due to disk space exhaustion (CAN-2005-1260).

Ubuntu have released advisory USN-127-1. I had a look through the patch
that this cited, but I couldn't tell which parts of it were related to
this, which were related to CAN-2005-0953, and which were other mods.
I pulled this patch from

I've also not been able to find a diff between 1.0.2 and 1.0.3 from

I've marked this RC as it can hose a system, but if others think the
likely hood of exploit is fairly small, I've no problems with it being

Geoff Crompton

Tags added: security Request was from Steve Langasek <> to Full text and rfc822 format available.

Severity set to `grave'. Request was from Steve Langasek <> to Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Geoff Crompton <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at (full text, mbox):

From: Anibal Monsalve Salazar <>
Subject: Bug#310803: fixed in bzip2 1.0.2-7
Date: Sat, 28 May 2005 01:02:26 -0400
Source: bzip2
Source-Version: 1.0.2-7

We believe that the bug you reported is fixed in the latest version of
bzip2, which is due to be installed in the Debian FTP archive:

  to pool/main/b/bzip2/bzip2_1.0.2-7.diff.gz
  to pool/main/b/bzip2/bzip2_1.0.2-7.dsc
  to pool/main/b/bzip2/bzip2_1.0.2-7_i386.deb
  to pool/main/b/bzip2/libbz2-1.0_1.0.2-7_i386.deb
  to pool/main/b/bzip2/libbz2-dev_1.0.2-7_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Anibal Monsalve Salazar <> (supplier of updated bzip2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Sat, 28 May 2005 14:05:46 +1000
Source: bzip2
Binary: libbz2-1.0 bzip2 libbz2-dev
Architecture: source i386
Version: 1.0.2-7
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <>
Changed-By: Anibal Monsalve Salazar <>
 bzip2      - high-quality block-sorting file compressor - utilities
 libbz2-1.0 - high-quality block-sorting file compressor library - runtime
 libbz2-dev - high-quality block-sorting file compressor library - development
Closes: 293581 310803
 bzip2 (1.0.2-7) unstable; urgency=high
   * Fixed "CAN-2005-1260 decompression bomb vulnerability", closes: #310803.
     Patch by Martin Pitt <>.
   * Fixed "Example provided in documentation causes data loss", closes:
     #293581. Patch by Adam Borowski <>.
 6e0e0ccfea94e3f194fa24d413ebc87f 577 utils standard bzip2_1.0.2-7.dsc
 444ffa10d91ca582f63a75dd8908c994 16264 utils standard bzip2_1.0.2-7.diff.gz
 ff6d4aa0fc45cb62949b564ee4a4a7fb 38682 libs standard libbz2-1.0_1.0.2-7_i386.deb
 524000f103f5f03ac835bfe2991d8c05 30308 libdevel optional libbz2-dev_1.0.2-7_i386.deb
 4c5ed64e1e60d63f0acb9c5f7df05445 233356 utils optional bzip2_1.0.2-7_i386.deb

Version: GnuPG v1.4.0 (GNU/Linux)


Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Sat Apr 19 02:28:42 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.