Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Tue, 18 Mar 2008 15:34:03 +0100
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: bzip2 CERT-FI: 20469

Hey,

CERT-FI: 20469 [1] was released yesterday, and with it a new bzip2 
release, quoting their CHANGES:

1.0.5 (10 Dec 07)
~~~~~~~~~~~~~~~~~
Security fix only.  Fixes CERT-FI 20469 as it applies to bzip2.


Reading the patch [2], it's missing a boundary check that can lead to an 
over-read on the tt/ll heap-buffer. I'd call this a DoS, did anyone 
else review?

Thanks,
Robert


[1] 
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
[2] https://bugs.gentoo.org/attachment.cgi?id=146488&action=view


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux