Debian Bug report logs - #310803
bzip2: CAN-2005-1260 decompression bomb vulnerability

version graph

Package: bzip2; Maintainer for bzip2 is Anibal Monsalve Salazar <anibal@debian.org>; Source for bzip2 is src:bzip2.

Reported by: Geoff Crompton <geoff.crompton@strategicdata.com.au>

Date: Thu, 26 May 2005 06:03:02 UTC

Severity: grave

Tags: security

Found in version 1.0.2-6

Fixed in version bzip2/1.0.2-7

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#310803; Package bzip2. Full text and rfc822 format available.

Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bzip2: CAN-2005-1260 decompression bomb vulnerability
Date: Thu, 26 May 2005 15:59:50 +1000
Package: bzip2
Version: 1.0.2-6
Severity: critical
Justification: breaks the whole system

See http://www.securityfocus.com/bid/13657 for more info. Quoting from
MDKSA-2005:091
>A vulnerability was found where specially crafted bzip2 archives would
> cause an infinite loop in the decompressor, resulting in an
> indefinitively large output file (also known as a "decompression
> bomb").  This could be exploited to cause a Denial of Service attack
> on the host computer due to disk space exhaustion (CAN-2005-1260).

Ubuntu have released advisory USN-127-1. I had a look through the patch
that this cited, but I couldn't tell which parts of it were related to
this, which were related to CAN-2005-0953, and which were other mods.
I pulled this patch from
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.1.diff.gz

I've also not been able to find a diff between 1.0.2 and 1.0.3 from
upsteam.

I've marked this RC as it can hose a system, but if others think the
likely hood of exploit is fairly small, I've no problems with it being
reclassified.

--
Geoff Crompton



Tags added: security Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `grave'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 310803-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 310803-close@bugs.debian.org
Subject: Bug#310803: fixed in bzip2 1.0.2-7
Date: Sat, 28 May 2005 01:02:26 -0400
Source: bzip2
Source-Version: 1.0.2-7

We believe that the bug you reported is fixed in the latest version of
bzip2, which is due to be installed in the Debian FTP archive:

bzip2_1.0.2-7.diff.gz
  to pool/main/b/bzip2/bzip2_1.0.2-7.diff.gz
bzip2_1.0.2-7.dsc
  to pool/main/b/bzip2/bzip2_1.0.2-7.dsc
bzip2_1.0.2-7_i386.deb
  to pool/main/b/bzip2/bzip2_1.0.2-7_i386.deb
libbz2-1.0_1.0.2-7_i386.deb
  to pool/main/b/bzip2/libbz2-1.0_1.0.2-7_i386.deb
libbz2-dev_1.0.2-7_i386.deb
  to pool/main/b/bzip2/libbz2-dev_1.0.2-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 310803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated bzip2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 May 2005 14:05:46 +1000
Source: bzip2
Binary: libbz2-1.0 bzip2 libbz2-dev
Architecture: source i386
Version: 1.0.2-7
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 bzip2      - high-quality block-sorting file compressor - utilities
 libbz2-1.0 - high-quality block-sorting file compressor library - runtime
 libbz2-dev - high-quality block-sorting file compressor library - development
Closes: 293581 310803
Changes: 
 bzip2 (1.0.2-7) unstable; urgency=high
 .
   * Fixed "CAN-2005-1260 decompression bomb vulnerability", closes: #310803.
     Patch by Martin Pitt <martin.pitt@ubuntu.com>.
   * Fixed "Example provided in documentation causes data loss", closes:
     #293581. Patch by Adam Borowski <kilobyte@mimuw.edu.pl>.
Files: 
 6e0e0ccfea94e3f194fa24d413ebc87f 577 utils standard bzip2_1.0.2-7.dsc
 444ffa10d91ca582f63a75dd8908c994 16264 utils standard bzip2_1.0.2-7.diff.gz
 ff6d4aa0fc45cb62949b564ee4a4a7fb 38682 libs standard libbz2-1.0_1.0.2-7_i386.deb
 524000f103f5f03ac835bfe2991d8c05 30308 libdevel optional libbz2-dev_1.0.2-7_i386.deb
 4c5ed64e1e60d63f0acb9c5f7df05445 233356 utils optional bzip2_1.0.2-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCl/aTgY5NIXPNpFURAnWkAKDGuKmt9+4pkai5sqJr6oFyV1uACACgtTLl
n4tCRKKXaa77D9VN5z6DZDo=
=IuJj
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:28:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.