Gentoo Logo

bzip2: Denial of Service

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200804-02 / bzip2
Release Date April 02, 2008
Latest Revision April 02, 2008: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-arch/bzip2 < 1.0.5 >= 1.0.5 All supported architectures

Related bugreports: #213820

Synopsis

A buffer overread vulnerability has been discovered in Bzip2.

2.  Impact Information

Background

bzip2 is a free and open source lossless data compression program.

Description

The Oulu University discovered that bzip2 does not properly check offsets provided by the bzip2 file, leading to a buffer overread.

Impact

Remote attackers can entice a user or automated system to open a specially crafted file that triggers a buffer overread, causing a Denial of Service. libbz2 and programs linking against it are also affected.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All bzip2 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/bzip2-1.0.5"

4.  References



Print

Page updated April 02, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.