medium
4
Advisory Published
Updated

REDHAT-BUG-2332075

First published: Thu Dec 12 2024(Updated: )

There were several "Security Fixes" for bzip2: out-of-bounds write in function <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">BZ2</a>_decompress (<a href="https://access.redhat.com/security/cve/CVE-2019-12900">CVE-2019-12900</a>). e.g. RHSA-2024:8922 and RHSA-2024:10803. The problem is that <a href="https://access.redhat.com/security/cve/CVE-2019-12900">CVE-2019-12900</a> is 5 years old and bogus. The applied patch causes a change in behavior which causes some <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a> files to no longer decompress. Upstream did a better fix for bzip2 1.0.8. Full story is here: <a href="https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/">https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/</a> You can see check that the new bzip2 is broken by running the upstream bzip2 testsuite: $ git clone <a href="https://sourceware.org/git/bzip2-tests.git">https://sourceware.org/git/bzip2-tests.git</a> $ cd bzip2-tests $ ./run-tests.sh [...] bzip2: Data integrity error when decompressing. FAIL: ./lbzip2/32767.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a> Decompress [...] Bad results, look for FAIL and !!! in the logs above - ./lbzip2/32767.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a> bad decompress result There should obviously be no FAILs. Please revert this patch or apply the followup patch from 1.0.8: <a href="https://inbox.sourceware.org/bzip2-devel/f9230fc65a3529b59b31f13494c72a1c01a6148e.camel@klomp.org/">https://inbox.sourceware.org/bzip2-devel/f9230fc65a3529b59b31f13494c72a1c01a6148e.camel@klomp.org/</a> <a href="https://sourceware.org/cgit/bzip2/commit/?id=b07b105d1b66e32760095e3602261738443b9e13">https://sourceware.org/cgit/bzip2/commit/?id=b07b105d1b66e32760095e3602261738443b9e13</a> Upstream reminder to Please don't "fix" CVE-2019-12900: <a href="https://inbox.sourceware.org/bzip2-devel/20241108214034.GC8315@gnu.wildebeest.org">https://inbox.sourceware.org/bzip2-devel/20241108214034.GC8315@gnu.wildebeest.org</a>

Affected SoftwareAffected VersionHow to fix
bzip2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of REDHAT-BUG-2332075?

    The severity of REDHAT-BUG-2332075 is classified as high due to an out-of-bounds write vulnerability in bzip2.

  • How do I fix REDHAT-BUG-2332075?

    To fix REDHAT-BUG-2332075, update bzip2 to the latest patched version provided by your distribution.

  • What is the impact of REDHAT-BUG-2332075 on my system?

    The impact of REDHAT-BUG-2332075 may allow an attacker to exploit an out-of-bounds write, potentially leading to arbitrary code execution.

  • Is my version of bzip2 affected by REDHAT-BUG-2332075?

    You should check if your version of bzip2 is included in the list of affected versions related to REDHAT-BUG-2332075.

  • When was REDHAT-BUG-2332075 reported?

    REDHAT-BUG-2332075 was reported in August 2019 detailing vulnerabilities in bzip2.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203