Package: bzip2 Version: 1.0.2-6 Severity: critical Justification: breaks the whole system
See http://www.securityfocus.com/bid/13657 for more info. Quoting from MDKSA-2005:091 >A vulnerability was found where specially crafted bzip2 archives would > cause an infinite loop in the decompressor, resulting in an > indefinitively large output file (also known as a "decompression > bomb"). This could be exploited to cause a Denial of Service attack > on the host computer due to disk space exhaustion (CAN-2005-1260). Ubuntu have released advisory USN-127-1. I had a look through the patch that this cited, but I couldn't tell which parts of it were related to this, which were related to CAN-2005-0953, and which were other mods. I pulled this patch from http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.1.diff.gz I've also not been able to find a diff between 1.0.2 and 1.0.3 from upsteam. I've marked this RC as it can hose a system, but if others think the likely hood of exploit is fairly small, I've no problems with it being reclassified. -- Geoff Crompton -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
