What is CVE-2016-3189?

CVE-2016-3189 is a use-after-free vulnerability in bzip2recover in bzip2 1.0.6 that allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file.

How does CVE-2016-3189 impact the affected software?

CVE-2016-3189 can cause a denial of service (crash) in the affected software when a crafted bzip2 file is processed.

What is the severity of CVE-2016-3189?

CVE-2016-3189 has a severity rating of 6.5 (Medium).

Which versions of bzip2 are affected by CVE-2016-3189?

Versions 1.0.6-9.2~deb10u1, 1.0.6-9.2~deb10u2, 1.0.8-4, and 1.0.8-5 of bzip2 are affected by CVE-2016-3189.

How can I fix CVE-2016-3189 in bzip2?

To fix CVE-2016-3189 in bzip2, update to version 1.0.6-9.2~deb10u1, 1.0.6-9.2~deb10u2, 1.0.8-4, or 1.0.8-5.

Vulnerability/
CVE-2016-3189

medium

6.5

CWE

416

21/3/2016

30/6/2016

5/8/2024

CVE-2016-3189: Use After Free

First published: Mon Mar 21 2016(Updated: )

A heap use after free vulnerability was reported in bzip2recover. A maliciously crafted file could cause the application to crash. Proposed patch attached. == ASAN output & backtrace == bzip2recover 1.0.6: extracts blocks from damaged .<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a> files. /opt/bzip-asan/bin/bzip2recover: searching for block boundaries ... block 1 runs from 176 to 175 block 2 runs from 224 to 871 block 3 runs from 920 to 919 block 4 runs from 968 to 1024 (incomplete) bzip2recover: splitting into blocks writing block 2 to `crasherfile1' ... Program received signal SIGSEGV, Segmentation fault. ================================================================= ==8476== ERROR: AddressSanitizer: heap-use-after-free on address 0x60060000ef8c at pc 0x40277c bp 0x7fff7f1afe90 sp 0x7fff7f1afe80 READ of size 4 at 0x60060000ef8c thread T0 #0 0x40277b (/opt/bzip-asan/bin/bzip2recover+0x40277b) #1 0x401f35 (/opt/bzip-asan/bin/bzip2recover+0x401f35) #2 0x7f10fcae2af4 (/usr/lib64/libc-2.17.so+0x21af4) #3 0x4020e4 (/opt/bzip-asan/bin/bzip2recover+0x4020e4) 0x60060000ef8c is located 12 bytes inside of 24-byte region [0x60060000ef80,0x60060000ef98) freed by thread T0 here: #0 0x7f10fce98009 (/usr/lib64/libasan.so.0.0.0+0x16009) #1 0x40205c (/opt/bzip-asan/bin/bzip2recover+0x40205c) previously allocated by thread T0 here: #0 0x7f10fce98129 (/usr/lib64/libasan.so.0.0.0+0x16129) #1 0x40175f (/opt/bzip-asan/bin/bzip2recover+0x40175f) Shadow bytes around the buggy address: 0x0c013fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c013fff9df0: fd[fd]fd fa fa fa 00 00 00 fa fa fa fd fd fd fa 0x0c013fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe bt #0 0x00007ffff7a8fa11 in putc () from /lib64/libc.so.6 #1 0x00000000004046ad in bsPutBit (bit=0x0, bs=<optimized out>) at bzip2recover.c:183 #2 bsPutUChar (c=<optimized out>, bs=<optimized out>) at bzip2recover.c:246 #3 main (argc=<optimized out>, argv=<optimized out>) at bzip2recover.c:455 #4 0x00007ffff7a3caf5 in __libc_start_main () from /lib64/libc.so.6 #5 0x0000000000405bd9 in _start ()

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Bzip Bzip2	=1.0.6
Python Python	>=3.7.0<3.7.13
Python Python	>=3.8.0<3.8.13
Python Python	>=3.9.0<3.9.11
Python Python	>=3.10.0<3.10.3
debian/bzip2		1.0.8-4 1.0.8-5 1.0.8-6

Remedy

https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=diff

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2016-3189?
CVE-2016-3189 is a use-after-free vulnerability in bzip2recover in bzip2 1.0.6 that allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file.
How does CVE-2016-3189 impact the affected software?
CVE-2016-3189 can cause a denial of service (crash) in the affected software when a crafted bzip2 file is processed.
What is the severity of CVE-2016-3189?
CVE-2016-3189 has a severity rating of 6.5 (Medium).
Which versions of bzip2 are affected by CVE-2016-3189?
Versions 1.0.6-9.2~deb10u1, 1.0.6-9.2~deb10u2, 1.0.8-4, and 1.0.8-5 of bzip2 are affected by CVE-2016-3189.
How can I fix CVE-2016-3189 in bzip2?
To fix CVE-2016-3189 in bzip2, update to version 1.0.6-9.2~deb10u1, 1.0.6-9.2~deb10u2, 1.0.8-4, or 1.0.8-5.

collector/nvd-index
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2016-3189
agent/type
agent/author
agent/first-publish-date
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
agent/severity
agent/remedy
agent/weakness
agent/description
agent/references
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/tags
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
vendor/bzip
canonical/bzip bzip2
version/bzip bzip2/1.0.6
vendor/python
canonical/python python
version/python python/3.7.0
version/python python/3.8.0
version/python python/3.9.0
version/python python/3.10.0
package-manager/debian