Gentoo Logo

bzip2: Denial of Service


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200804-02 / bzip2
Release Date April 02, 2008
Latest Revision April 02, 2008: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-arch/bzip2 < 1.0.5 >= 1.0.5 All supported architectures

Related bugreports: #213820


A buffer overread vulnerability has been discovered in Bzip2.

2.  Impact Information


bzip2 is a free and open source lossless data compression program.


The Oulu University discovered that bzip2 does not properly check offsets provided by the bzip2 file, leading to a buffer overread.


Remote attackers can entice a user or automated system to open a specially crafted file that triggers a buffer overread, causing a Denial of Service. libbz2 and programs linking against it are also affected.

3.  Resolution Information


There is no known workaround at this time.


All bzip2 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/bzip2-1.0.5"

4.  References


Page updated April 02, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.