Source: bzip2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for bzip2. CVE-2023-29415[0]: | An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial | of service (process hang) can occur with a crafted archive because | bzip3 does not follow the required procedure for interacting with | libsais. https://github.com/kspalaiologos/bzip3/issues/95 https://github.com/kspalaiologos/bzip3/commit/56c24ca1f8f25e648d42154369b6962600f76465 CVE-2023-29416[1]: | An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A | bz3_decode_block out-of-bounds write can occur with a crafted archive | because bzip3 does not follow the required procedure for interacting | with libsais. https://github.com/kspalaiologos/bzip3/commit/bfa5bf82b53715dfedf048e5859a46cf248668ff (1.3.0) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29418[2]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | an xwrite out-of-bounds read. https://github.com/kspalaiologos/bzip3/commit/aae16d107f804f69000c09cd92027a140968cc9d (1.2.3) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29419[3]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | a bz3_decode_block out-of-bounds read. https://github.com/kspalaiologos/bzip3/commit/8ec8ce7d3d58bf42dabc47e4cc53aa27051bd602 (1.2.3) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29420[4]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | a crash caused by an invalid memmove in bz3_decode_block. https://github.com/kspalaiologos/bzip3/commit/bb06deb85f1c249838eb938e0dab271d4194f8fa (1.2.3) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29421[5]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | an out-of-bounds write in bz3_decode_block. https://github.com/kspalaiologos/bzip3/issues/94 https://github.com/kspalaiologos/bzip3/commit/33b1951f153c3c5dc8ed736b9110437e1a619b7d (1.2.3) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-29415 https://www.cve.org/CVERecord?id=CVE-2023-29415 [1] https://security-tracker.debian.org/tracker/CVE-2023-29416 https://www.cve.org/CVERecord?id=CVE-2023-29416 [2] https://security-tracker.debian.org/tracker/CVE-2023-29418 https://www.cve.org/CVERecord?id=CVE-2023-29418 [3] https://security-tracker.debian.org/tracker/CVE-2023-29419 https://www.cve.org/CVERecord?id=CVE-2023-29419 [4] https://security-tracker.debian.org/tracker/CVE-2023-29420 https://www.cve.org/CVERecord?id=CVE-2023-29420 [5] https://security-tracker.debian.org/tracker/CVE-2023-29421 https://www.cve.org/CVERecord?id=CVE-2023-29421 Please adjust the affected versions in the BTS as needed.
