rpms/bzip2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix: out of bound write in bz2_decompress

Browse Source 
Resolves: RHEL-65201
This commit is contained in:
Jakub Martisko 2024-12-03 10:46:18 +01:00
parent a297cb1930
commit a39f992cf5
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
bzip2-out_of_bounds.patch Normal file
View File

@ -0,0 +1,32 @@
From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 28 May 2019 19:35:18 +0200
Subject: [PATCH] Make sure nSelectors is not out of range
nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
which is
UChar selectorMtf[BZ_MAX_SELECTORS];
so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
access
Fixes out of bounds access discovered while fuzzying karchive
---
decompress.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/decompress.c b/decompress.c
index ab6a624..f3db91d 100644
--- a/decompress.c
+++ b/decompress.c
@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR);
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
for (i = 0; i < nSelectors; i++) {
j = 0;
while (True) {
--
GitLab

8
bzip2.spec
View File

@ -3,7 +3,7 @@
Summary: File compression utility Summary: File compression utility
Name: bzip2 Name: bzip2
Version: 1.0.8 Version: 1.0.8
Release: 22%{?dist} Release: 23%{?dist}
License: BSD-4-Clause License: BSD-4-Clause
URL: https://sourceware.org/bzip2 URL: https://sourceware.org/bzip2
#Source0: http://www.bzip.org/%{version}/%{name}-%{version}.tar.gz #Source0: http://www.bzip.org/%{version}/%{name}-%{version}.tar.gz
@ -19,6 +19,7 @@ Patch0: bzip2-saneso.patch
Patch1: bzip2-cflags.patch Patch1: bzip2-cflags.patch
Patch2: bzip2-ldflags.patch Patch2: bzip2-ldflags.patch
Patch3: man_gzipdiff.patch Patch3: man_gzipdiff.patch
Patch4: bzip2-out_of_bounds.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: make BuildRequires: make
@ -63,6 +64,7 @@ Static libraries for applications using the bzip2 compression format.
%patch 1 -p1 %patch 1 -p1
%patch 2 -p1 %patch 2 -p1
%patch 3 -p2 %patch 3 -p2
%patch 4 -p1
cp -a %{SOURCE1} . cp -a %{SOURCE1} .
sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc
@ -129,6 +131,10 @@ ln -s bzgrep.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzfgrep.1
%{_libdir}/pkgconfig/bzip2.pc %{_libdir}/pkgconfig/bzip2.pc
%changelog %changelog
* Tue Dec 03 2024 Jakub Martisko <jamartis@redhat.com> - 1.0.8-23
- Fix out of bounds write in bz_decompress
Resolves: CVE-2019-12900
* Tue Dec 03 2024 Jakub Martisko <jamartis@redhat.com> - 1.0.8-22 * Tue Dec 03 2024 Jakub Martisko <jamartis@redhat.com> - 1.0.8-22
- Minor spec cleanup - Minor spec cleanup
- Add explicit requires for the bzip2 package - Add explicit requires for the bzip2 package