From a39f992cf57484865238ee9aeecb8d451e39f16c Mon Sep 17 00:00:00 2001 From: Jakub Martisko Date: Tue, 3 Dec 2024 10:46:18 +0100 Subject: [PATCH] Fix: out of bound write in bz2_decompress Resolves: RHEL-65201 --- bzip2-out_of_bounds.patch | 32 ++++++++++++++++++++++++++++++++ bzip2.spec | 8 +++++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 bzip2-out_of_bounds.patch diff --git a/bzip2-out_of_bounds.patch b/bzip2-out_of_bounds.patch new file mode 100644 index 0000000..f7563a2 --- /dev/null +++ b/bzip2-out_of_bounds.patch @@ -0,0 +1,32 @@ +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 28 May 2019 19:35:18 +0200 +Subject: [PATCH] Make sure nSelectors is not out of range + +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf +which is + UChar selectorMtf[BZ_MAX_SELECTORS]; +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory +access + +Fixes out of bounds access discovered while fuzzying karchive +--- + decompress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/decompress.c b/decompress.c +index ab6a624..f3db91d 100644 +--- a/decompress.c ++++ b/decompress.c +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); + if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) { +-- +GitLab + diff --git a/bzip2.spec b/bzip2.spec index 2a979dd..0eacd98 100644 --- a/bzip2.spec +++ b/bzip2.spec @@ -3,7 +3,7 @@ Summary: File compression utility Name: bzip2 Version: 1.0.8 -Release: 22%{?dist} +Release: 23%{?dist} License: BSD-4-Clause URL: https://sourceware.org/bzip2 #Source0: http://www.bzip.org/%{version}/%{name}-%{version}.tar.gz @@ -19,6 +19,7 @@ Patch0: bzip2-saneso.patch Patch1: bzip2-cflags.patch Patch2: bzip2-ldflags.patch Patch3: man_gzipdiff.patch +Patch4: bzip2-out_of_bounds.patch BuildRequires: gcc BuildRequires: make @@ -63,6 +64,7 @@ Static libraries for applications using the bzip2 compression format. %patch 1 -p1 %patch 2 -p1 %patch 3 -p2 +%patch 4 -p1 cp -a %{SOURCE1} . sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc @@ -129,6 +131,10 @@ ln -s bzgrep.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzfgrep.1 %{_libdir}/pkgconfig/bzip2.pc %changelog +* Tue Dec 03 2024 Jakub Martisko - 1.0.8-23 +- Fix out of bounds write in bz_decompress +Resolves: CVE-2019-12900 + * Tue Dec 03 2024 Jakub Martisko - 1.0.8-22 - Minor spec cleanup - Add explicit requires for the bzip2 package