From f9ed8e44ad56a1dd655d33dff7ad2344c71e91cf Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Tue, 29 Oct 2024 12:14:08 +0100 Subject: [PATCH] Fixes out of bounds access in BZ2_decompress Resolves: RHEL-64929 --- bzip2.spec | 7 ++++++- decompress-out-of-bounds.patch | 13 +++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 decompress-out-of-bounds.patch diff --git a/bzip2.spec b/bzip2.spec index 3fa8ddc..b1d1514 100644 --- a/bzip2.spec +++ b/bzip2.spec @@ -3,7 +3,7 @@ Summary: A file compression utility Name: bzip2 Version: 1.0.6 -Release: 26%{?dist} +Release: 27%{?dist} License: BSD Group: Applications/File URL: http://www.bzip.org/ @@ -17,6 +17,7 @@ Patch2: bzip2-1.0.4-bzip2recover.patch Patch3: bzip2-ldflags.patch # resolves: #1348179 Patch4: set-out-file-to-null.patch +Patch5: decompress-out-of-bounds.patch %description Bzip2 is a freely available, patent-free, high quality data compressor. @@ -62,6 +63,7 @@ Static libraries for applications using the bzip2 compression format. %patch2 -p1 -b .bz2recover %patch3 -p1 -b .ldflags %patch4 -p1 -b .bzip2recover +%patch5 -p1 cp -a %{SOURCE1} . sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc @@ -140,6 +142,9 @@ ln -s bzgrep.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzfgrep.1 %{_libdir}/pkgconfig/bzip2.pc %changelog +* Tue Oct 29 2024 Jacek Migacz - 1.0.6-27 +- Fixes out of bounds access in BZ2_decompress (RHEL-64929) + * Wed Feb 07 2018 Fedora Release Engineering - 1.0.6-26 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/decompress-out-of-bounds.patch b/decompress-out-of-bounds.patch new file mode 100644 index 0000000..eaf098d --- /dev/null +++ b/decompress-out-of-bounds.patch @@ -0,0 +1,13 @@ +diff --git a/decompress.c b/decompress.c +index ab6a624db17a1c124b5be09c04b0e99d950b70ff..f3db91d14f6ed09f76fbd5c73f7db2cba5f577da 100644 +--- a/decompress.c ++++ b/decompress.c +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) {