rpms/bzip2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Accept as many selectors as the file format allows (fixes CVE-2019-12900 regression)

Browse Source
This commit is contained in:
Andrew Lukoshko 2024-11-15 13:29:49 +00:00
parent c5cf32aab3
commit 3f6ff9b519
2 changed files with 91 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
SOURCES/0001-Accept-as-many-selectors-as-the-file-format-allows.patch Normal file
View File

@ -0,0 +1,81 @@
From b07b105d1b66e32760095e3602261738443b9e13 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Wed, 3 Jul 2019 01:28:11 +0200
Subject: [PATCH] Accept as many selectors as the file format allows.
But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS.
The theoretical maximum number of selectors depends on the maximum
blocksize (900000 bytes) and the number of symbols (50) that can be
encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002.
But the bzip2 file format allows the number of selectors to be encoded
with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in
14 bits). So the file format maximum is 32767 selectors.
Some bzip2 encoders might actually have written out more selectors
than the theoretical maximum because they rounded up the number of
selectors to some convenient factor of 8.
The extra 14766 selectors can never be validly used by the decompression
algorithm. So we can read them, but then discard them.
This is effectively what was done (by accident) before we added a
check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate
CVE-2019-12900.
The extra selectors were written out after the array inside the
EState struct. But the struct has extra space allocated after the
selector arrays of 18060 bytes (which is larger than 14766).
All of which will be initialized later (so the overwrite of that
space with extra selector values would have been harmless).
---
compress.c | 2 +-
decompress.c | 10 ++++++++--
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/compress.c b/compress.c
index 237620d..76adee6 100644
--- a/compress.c
+++ b/compress.c
@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s )
AssertH( nGroups < 8, 3002 );
AssertH( nSelectors < 32768 &&
- nSelectors <= (2 + (900000 / BZ_G_SIZE)),
+ nSelectors <= BZ_MAX_SELECTORS,
3003 );
diff --git a/decompress.c b/decompress.c
index 20ce493..3303499 100644
--- a/decompress.c
+++ b/decompress.c
@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR);
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
- if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
+ if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
for (i = 0; i < nSelectors; i++) {
j = 0;
while (True) {
@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s )
j++;
if (j >= nGroups) RETURN(BZ_DATA_ERROR);
}
- s->selectorMtf[i] = j;
+ /* Having more than BZ_MAX_SELECTORS doesn't make much sense
+ since they will never be used, but some implementations might
+ "round up" the number of selectors, so just ignore those. */
+ if (i < BZ_MAX_SELECTORS)
+ s->selectorMtf[i] = j;
}
+ if (nSelectors > BZ_MAX_SELECTORS)
+ nSelectors = BZ_MAX_SELECTORS;
/*--- Undo the MTF values for the selectors. ---*/
{
--
2.43.5

11
SPECS/bzip2.spec
View File

@ -3,7 +3,7 @@
Summary: A file compression utility Summary: A file compression utility
Name: bzip2 Name: bzip2
Version: 1.0.6 Version: 1.0.6
Release: 27%{?dist} Release: 27%{?dist}.alma.1
License: BSD License: BSD
Group: Applications/File Group: Applications/File
URL: http://www.bzip.org/ URL: http://www.bzip.org/
@ -19,6 +19,10 @@ Patch3: bzip2-ldflags.patch
Patch4: set-out-file-to-null.patch Patch4: set-out-file-to-null.patch
Patch5: decompress-out-of-bounds.patch Patch5: decompress-out-of-bounds.patch
# AlmaLinux patches
# https://inbox.sourceware.org/bzip2-devel/20241108214034.GC8315@gnu.wildebeest.org/
Patch100: 0001-Accept-as-many-selectors-as-the-file-format-allows.patch
%description %description
Bzip2 is a freely available, patent-free, high quality data compressor. Bzip2 is a freely available, patent-free, high quality data compressor.
Bzip2 compresses files to within 10 to 15 percent of the capabilities Bzip2 compresses files to within 10 to 15 percent of the capabilities
@ -65,6 +69,8 @@ Static libraries for applications using the bzip2 compression format.
%patch4 -p1 -b .bzip2recover %patch4 -p1 -b .bzip2recover
%patch5 -p1 %patch5 -p1
%patch100 -p1
cp -a %{SOURCE1} . cp -a %{SOURCE1} .
sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc
@ -142,6 +148,9 @@ ln -s bzgrep.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzfgrep.1
%{_libdir}/pkgconfig/bzip2.pc %{_libdir}/pkgconfig/bzip2.pc
%changelog %changelog
* Fri Nov 15 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 1.0.6-27.alma.1
- Accept as many selectors as the file format allows (fixes CVE-2019-12900 regression)
* Tue Oct 29 2024 Jacek Migacz <jmigacz@redhat.com> - 1.0.6-27 * Tue Oct 29 2024 Jacek Migacz <jmigacz@redhat.com> - 1.0.6-27
- Fixes out of bounds access in BZ2_decompress (RHEL-64929) - Fixes out of bounds access in BZ2_decompress (RHEL-64929)