tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2008-004: bzip2(1) Multiple issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-004
=================================
Topic: bzip2(1) Multiple issues
Version: NetBSD-current: affected
NetBSD 4.0: affected
NetBSD 3.1.*: affected
NetBSD 3.1: affected
NetBSD 3.0: affected
NetBSD 3.0.*: affected
Severity: Denial of Service and Race Condition
Fixed: NetBSD-current: March 18, 2008
NetBSD-4 branch: March 24, 2008
(4.1 will include the fix)
NetBSD-4-0 branch: March 24, 2008
(4.0.1 will include the fix)
NetBSD-3-1 branch: March 26, 2008
(3.1.2 will include the fix)
NetBSD-3-0 branch: March 26, 2008
(3.0.4 will include the fix)
NetBSD-3 branch: March 26, 2008
(3.2 will include the fix)
pkgsrc: bzip2-1.0.5 corrects the issue
Abstract
========
Multiple issues have been found with the version of bzip2 that ships
with NetBSD 3.x, NetBSD 4.x and NetBSD-current. In order to address
all these issues bzip2 has been updated to the latest version currently
available which contains fixes for these issues. The two known security
issues included a race condition and a denial of service.
These vulnerabilities have been assigned CVE-2008-1372 for the denial of
service and CVE-2005-0953 for the race condition.
Technical Details
=================
The race condition may allow an attacker to modify the permissions on
an existing file owned by a user when a user extracts a crafted bzip2
compressed file. The attacker must have access to the directory in
which the file is being decompressed to in order to exploit this issue.
An attacker may be able to crash bzip2 by supplying a user with a crafted
bzip2 compressed file.
Solutions and Workarounds
=========================
It is recommended that NetBSD users of vulnerable versions update
their binaries.
The following instructions describe how to upgrade your bzip2(1)
binaries by updating your source tree and rebuilding and
installing a new version of bzip2(1).
* NetBSD-current:
Systems running NetBSD-current dated from before 2008-03-18
should be upgraded to NetBSD-current dated 2008-03-19 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/bzip2
distrib/sets/lists/base/shl.mi
distrib/sets/lists/man/mi
distrib/sets/lists/misc/mi
doc/3RDPARTY
lib/libbz2/Makefile
lib/libbz2/shlib_version
To update from CVS, re-build, and re-install bzip2:
# cd src
# cvs update -d -P dist/bzip2
# cvs update \
distrib/sets/lists/base/shl.mi \
distrib/sets/lists/man/mi \
distrib/sets/lists/misc/mi \
doc/3RDPARTY \
lib/libbz2/Makefile \
lib/libbz2/shlib_version
# cd lib/libbz2
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# rm -f /usr/lib/libbz2.so.1.0
# cd ../../usr.bin/bzip2
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../usr.bin/bzip2recover
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2008-03-24 should be upgraded from NetBSD 4.* sources dated
2008-03-25 or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
dist/bzip2
distrib/sets/lists/base/shl.mi
distrib/sets/lists/man/mi
distrib/sets/lists/misc/mi
doc/3RDPARTY
lib/libbz2/Makefile
lib/libbz2/shlib_version
To update from CVS, re-build, and re-install bzip2:
# cd src
# cvs update -d -P -r <branch_name> dist/bzip2
# cvs update -r <branch_name> \
distrib/sets/lists/base/shl.mi \
distrib/sets/lists/man/mi \
distrib/sets/lists/misc/mi \
doc/3RDPARTY \
lib/libbz2/Makefile \
lib/libbz2/shlib_version
# cd lib/libbz2
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# rm -f /usr/lib/libbz2.so.1.0
# cd ../../usr.bin/bzip2
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../usr.bin/bzip2recover
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 3.*:
Systems running NetBSD 3.* sources dated from before
2008-03-26 should be upgraded from NetBSD 3.* sources dated
2008-03-27 or later.
The following files/directories need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
dist/bzip2
distrib/sets/lists/base/shl.mi
distrib/sets/lists/man/mi
distrib/sets/lists/misc/mi
doc/3RDPARTY
lib/libbz2/Makefile
lib/libbz2/shlib_version
To update from CVS, re-build, and re-install bzip2:
# cd src
# cvs update -d -P -r <branch_name> dist/bzip2
# cvs update -r <branch_name> \
distrib/sets/lists/base/shl.mi \
distrib/sets/lists/man/mi \
distrib/sets/lists/misc/mi \
doc/3RDPARTY \
lib/libbz2/Makefile \
lib/libbz2/shlib_version
# cd lib/libbz2
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# rm -f /usr/lib/libbz2.so.1.0
# cd ../../usr.bin/bzip2
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../usr.bin/bzip2recover
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Christos Zoulas for importing the fixes into HEAD.
Revision History
================
2008-04-21 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2008-004.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQCVAwUBSAUSHj5Ru2/4N2IFAQIO7wP/bP2okQsZUoLy0Tw/5EFLui7LFcjTR13H
Y5mOyvCQnPOFlJGbEOo1xUdN0ZNjIhsVIgGvo4ErFhG/bSWndFrg5YZbWxeFE34/
lu1laER9UVXbZp3R88beRe8zjz9GCewjjQSYn9PnR8VE/QxZHr4mrY7YENyhJOcw
Rm615QLhJoA=
=KOx2
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index