Greetings,
attached diff fixes CVE-2019-12900 (BZ2_decompress in decompress.c in
bzip2 through 1.0.6 has an out-of-bounds write when there are many
selectors.) The vulnerability has a CVSS v3.0 score of 9.8 "CRITICAL".
It is essentially the patch from
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
Comments?
Kind Regards,
Henry
diff -urN archivers/bzip2/Makefile mystuff/archivers/bzip2/Makefile
--- archivers/bzip2/Makefile Fri Aug 24 21:06:12 2018
+++ mystuff/archivers/bzip2/Makefile Mon Jun 24 15:37:39 2019
@@ -3,7 +3,7 @@
COMMENT= block-sorting file compressor, unencumbered
DISTNAME= bzip2-1.0.6
-REVISION= 9
+REVISION= 10
CATEGORIES= archivers
diff -urN archivers/bzip2/patches/patch-decompress_c mystuff/archivers/bzip2/patches/patch-decompress_c
--- archivers/bzip2/patches/patch-decompress_c Thu Jan 1 01:00:00 1970
+++ mystuff/archivers/bzip2/patches/patch-decompress_c Mon Jun 24 15:50:00 2019
@@ -0,0 +1,12 @@
+Index: decompress.c
+--- decompress.c.orig
++++ decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
