Security-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2008-004: bzip2(1) Multiple issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2008-004
                 =================================

Topic:          bzip2(1) Multiple issues

Version:        NetBSD-current:         affected
                NetBSD 4.0:             affected
                NetBSD 3.1.*:           affected
                NetBSD 3.1:             affected
                NetBSD 3.0:             affected
                NetBSD 3.0.*:           affected

Severity:       Denial of Service and Race Condition

Fixed:          NetBSD-current:         March 18, 2008
                NetBSD-4 branch:        March 24, 2008
                        (4.1 will include the fix)
                NetBSD-4-0 branch:      March 24, 2008
                        (4.0.1 will include the fix)
                NetBSD-3-1 branch:      March 26, 2008
                        (3.1.2 will include the fix)
                NetBSD-3-0 branch:      March 26, 2008
                        (3.0.4 will include the fix)
                NetBSD-3 branch:        March 26, 2008
                        (3.2 will include the fix)
                pkgsrc:                 bzip2-1.0.5 corrects the issue


Abstract
========

Multiple issues have been found with the version of bzip2 that ships
with NetBSD 3.x, NetBSD 4.x and NetBSD-current.  In order to address
all these issues bzip2 has been updated to the latest version currently
available which contains fixes for these issues.  The two known security
issues included a race condition and a denial of service.

These vulnerabilities have been assigned CVE-2008-1372 for the denial of 
service and CVE-2005-0953 for the race condition.


Technical Details
=================

The race condition may allow an attacker to modify the permissions on
an existing file owned by a user when a user extracts a crafted bzip2
compressed file.  The attacker must have access to the directory in 
which the file is being decompressed to in order to exploit this issue.

An attacker may be able to crash bzip2 by supplying a user with a crafted
bzip2 compressed file.


Solutions and Workarounds
=========================

It is recommended that NetBSD users of vulnerable versions update
their binaries.

The following instructions describe how to upgrade your bzip2(1)
binaries by updating your source tree and rebuilding and
installing a new version of bzip2(1).

* NetBSD-current:

        Systems running NetBSD-current dated from before 2008-03-18
        should be upgraded to NetBSD-current dated 2008-03-19 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                dist/bzip2
                distrib/sets/lists/base/shl.mi
                distrib/sets/lists/man/mi
                distrib/sets/lists/misc/mi
                doc/3RDPARTY
                lib/libbz2/Makefile
                lib/libbz2/shlib_version

        To update from CVS, re-build, and re-install bzip2:

                # cd src
                # cvs update -d -P dist/bzip2
                # cvs update \
                        distrib/sets/lists/base/shl.mi \
                        distrib/sets/lists/man/mi \
                        distrib/sets/lists/misc/mi \
                        doc/3RDPARTY \
                        lib/libbz2/Makefile \
                        lib/libbz2/shlib_version
                # cd lib/libbz2
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # rm -f /usr/lib/libbz2.so.1.0
                # cd ../../usr.bin/bzip2
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../../usr.bin/bzip2recover
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2008-03-24 should be upgraded from NetBSD 4.* sources dated
        2008-03-25 or later.

        The following files/directories need to be updated from the
        netbsd-4 or netbsd-4-0 branches:
                dist/bzip2
                distrib/sets/lists/base/shl.mi
                distrib/sets/lists/man/mi
                distrib/sets/lists/misc/mi
                doc/3RDPARTY
                lib/libbz2/Makefile
                lib/libbz2/shlib_version

        To update from CVS, re-build, and re-install bzip2:

                # cd src
                # cvs update -d -P -r <branch_name> dist/bzip2
                # cvs update -r <branch_name> \
                        distrib/sets/lists/base/shl.mi \
                        distrib/sets/lists/man/mi \
                        distrib/sets/lists/misc/mi \
                        doc/3RDPARTY \
                        lib/libbz2/Makefile \
                        lib/libbz2/shlib_version
                # cd lib/libbz2
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # rm -f /usr/lib/libbz2.so.1.0
                # cd ../../usr.bin/bzip2
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../../usr.bin/bzip2recover
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 3.*:

        Systems running NetBSD 3.* sources dated from before
        2008-03-26 should be upgraded from NetBSD 3.* sources dated
        2008-03-27 or later.

        The following files/directories need to be updated from the
        netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
                dist/bzip2
                distrib/sets/lists/base/shl.mi
                distrib/sets/lists/man/mi
                distrib/sets/lists/misc/mi
                doc/3RDPARTY
                lib/libbz2/Makefile
                lib/libbz2/shlib_version

        To update from CVS, re-build, and re-install bzip2:

                # cd src
                # cvs update -d -P -r <branch_name> dist/bzip2
                # cvs update -r <branch_name> \
                        distrib/sets/lists/base/shl.mi \
                        distrib/sets/lists/man/mi \
                        distrib/sets/lists/misc/mi \
                        doc/3RDPARTY \
                        lib/libbz2/Makefile \
                        lib/libbz2/shlib_version
                # cd lib/libbz2
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # rm -f /usr/lib/libbz2.so.1.0
                # cd ../../usr.bin/bzip2
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../../usr.bin/bzip2recover
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========

Christos Zoulas for importing the fixes into HEAD.


Revision History
================

        2008-04-21      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-004.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSAUSHj5Ru2/4N2IFAQIO7wP/bP2okQsZUoLy0Tw/5EFLui7LFcjTR13H
Y5mOyvCQnPOFlJGbEOo1xUdN0ZNjIhsVIgGvo4ErFhG/bSWndFrg5YZbWxeFE34/
lu1laER9UVXbZp3R88beRe8zjz9GCewjjQSYn9PnR8VE/QxZHr4mrY7YENyhJOcw
Rm615QLhJoA=
=KOx2
-----END PGP SIGNATURE-----



Home | Main Index | Thread Index | Old Index