LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
Reload this Page bzip2 1.0.2 Security Issue
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-27-2005, 01:40 PM   #1
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Exclamation bzip2 1.0.2 Security Issue

Quote:
Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2005-0953

the bzip2 website states that:
Quote:
The current version is 1.0.3, released 15 February 2005.
i'm on an up-to-date slackware 10.1 and it currently has bzip2 1.0.2:
Code:
bash-3.00$ ls /var/log/packages/ | grep bzip2
bzip2-1.0.2-i486-5
Last edited by win32sux; 06-13-2005 at 08:22 PM.
 
Old 05-27-2005, 11:34 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
BTW, there also seems to be a DoS issue fixed in bzip2 1.0.3:
Quote:
bzip2 decompression bomb vulnerability
======================================

Programs affected: bzip2 and programs which reuse bzip2
Severity: Decompression bomb leading to DoS
Discovered date: May 4th 2005
Vendor notified date: May 4th 2005
Updates being released (issue out of the bag): May 20th 2005

Whilst playing with "random bitflipping" technology, an effective decompression bomb attack against bzip2 was identified. bzip2 can be made to decompress into a file indefinitely when it encounters a suitably corrupt bzip2 archive.

This vulnerability and allegedly others are already fixed in v1.0.3. However, the uptake of v1.0.3 has been slow; there does not seem to be an awareness that v1.0.3 fixes security issues. Security updates are required and vendors need to check their codebases for static copies of bzip code.
http://scary.beasts.org/security/CESA-2005-002.txt


there's a decompression bomb demo here: http://scary.beasts.org/misc/bomb.bz2

here's the secunia advisory: http://secunia.com/advisories/15447/

and the CVE CAN: http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1260

Last edited by win32sux; 05-27-2005 at 11:40 PM.
 
Old 06-13-2005, 06:49 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
the issue has (finally) been addressed in slackware-current:
Quote:
Sun Jun 12 21:48:25 PDT 2005
a/bzip2-1.0.3-i486-1.tgz: Upgraded to bzip2-1.0.3.
http://www.slackware.com/changelog/current.php?cpu=i386
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba Security issue boyd98 Linux - Networking 1 03-23-2005 04:45 PM
webmin issue, poss security issue bejiita Slackware 3 11-03-2004 06:07 AM
Security issue in Slackware 9.1 odin123 Slackware 6 11-03-2003 08:44 AM
Directory security issue malcie Linux - Newbie 4 07-18-2003 07:10 AM
Security issue.. marcoc Linux - Newbie 8 05-01-2002 06:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 11:14 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration