tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2010-007: Integer overflow in libbz2 decompression code



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2010-007
                 =================================

Topic:          Integer overflow in libbz2 decompression code

Version:        NetBSD-current: source prior to September 21, 2010
                NetBSD 5.0:             affected
                NetBSD 4.0.1:           affected
                pkgsrc:                 bzip2 package prior to 1.0.6

Severity:       potential remote DoS or code-injection attack

Fixed:          NetBSD-current:         Sep 20, 2010
                NetBSD-5 branch         Sep 23, 2010
                NetBSD-5-0 branch       Sep 23, 2010
                NetBSD-4 branch         Sep 23, 2010
                NetBSD-4-0 branch       Sep 23, 2010
                pkgsrc 2010Q2:          bzip2-1.0.6 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

The bzip2/bunzip2 functions and the libbz2 library provide compression
and decompression functionality similar to gzip/gunzip and libgzip but
with better compression ratio and worse compression performance.

The bug described in CVE-2010-0405 affects decompression and can cause
a local or remote DoS attack or possible random code execution
in a program that tries to decompress attacker controlled streams.


Technical Details
=================

There is an integer overflow in the bzip2 decompression code which
can be used to cause a negative value to be used for a buffer size.
The bzip code is also used in other derivative programs such as tar(1)
and pax(1), so utilities using these programs can be affected.


Solutions and Workarounds
=========================

- - Patch, recompile, and re-install libbz2, restart all daemons possibly
  affected

  CVS branch    file                            revision
  ------------- ----------------                --------
  HEAD          src/dist/bzip2/decompress.c     1.2

  netbsd-5.0    src/dist/bzip2/decompress.c     1.1.1.3
  netbsd-5      src/dist/bzip2/decompress.c     1.1.1.3

  netbsd-4.0    src/dist/bzip2/decompress.c     1.1.1.3
  netbsd-4      src/dist/bzip2/decompress.c     1.1.1.3

The following instructions briefly summarize how to update and
recompile libbz2. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  FILES    with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install libbz2:

        # cd src
        # cvs update -d -P -r BRANCH FILES
        # cd lib/libbz2
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../../rescue
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

Alternatively, apply the following patch (with potential offset
differences):

        
http://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2010-007-libbz2.patch

For more information on building (oriented towards rebuilding the
entire system, however) see:

   http://www.netbsd.org/guide/en/chap-build.html


Thanks To
=========

Mikolaj Izdebski for finding and reporting the vulnerability.
Christos Zoulas for fixing the problem.


Revision History
================

        2010-09-27      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-007.txt,v 1.4 2010/09/27 20:41:45 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJMoQRgAAoJEAZJc6xMSnBudBAQALrzG5JCEorlWj2SlcKioO4j
HSTp7K70cT1Ry6YLraqP4CocBeNTv7QoDcvezBpk0KYinTzTaz+jHykWWKl+WR3a
sUFqdsyhJp4eaibpqLeaZlesEinMFhVgwwG4MC2ZMpddZPdcm1FpJ+L01ANI9fKo
NQhPFQ2OxOlpaZjLundE4Iij7vQw9nTo6+ierZYi4SjIZC0DYlPb8aySDpnRa4DV
W2H50hCfJlQKGjQsQiR8alS+JUldG4x59Ci+pTE8QoY6Ndh3Vrwryf/ZaZlBxJ/g
x93emKXFIrz/SwCQM5kQCXOok96tTKUdMr6tza/gETvjtkiYOtoOBpz4Y3Af5mrU
GLgnwJjVQ+uzk7TSOebmOHHCGt/tUhiQdccXzLc141rgeXtrFs4+2hMW4X3RYg7U
puZb7XTRkoCE9lBMZ7h6AMTivbcNFN4gsVHZEa0raQrvV5N3SQCaxSdLiWYS2Rx1
uYGhTigsOtiMoz/2jyb01FugMYgbi3STPtKXHsJ8lzkAX0FwESvsHFY4/1PLrGMZ
Vb9CXzLiM0CURv2YgC1ReUBTIHM6DrtX/HCcNZ0VV19/IsMkZ5iWq2deZu07m5Hu
fu2zEMDeKLtOUCZwSwbvLpDUill059rfg1NYNCzETqpiCCMTLUW/i0/YcrMfzjWU
Sg/u7Cu6yxYp1LrynFDi
=65/e
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index