Bugzilla – Bug 1139083
VUL-0: CVE-2019-12900: bzip2: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Last modified: 2020-05-12 18:36:56 UTC
CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. Upstream fix: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12900 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12900.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900 http://www.cvedetails.com/cve/CVE-2019-12900/
This is an autogenerated message for OBS integration: This bug (1139083) was mentioned in https://build.opensuse.org/request/show/712352 Factory / bzip2
Fix for CVE-2019-12900 breaks uncompressing some lbzip2 files [1]. It was fixed in [2] so I opened an openSUSE bug for lbzip2 [3]. [1] https://gitlab.com/federicomenaquintero/bzip2/issues/24 [2] https://github.com/kjn/lbzip2/issues/18 [3] https://bugzilla.suse.com/show_bug.cgi?id=1140733
This is the fix for lbzip2 files: https://gitlab.com/federicomenaquintero/bzip2/commit/812a898b7622de90e98f103ff7fed0984e4548e4
The mailing list thread about this is https://sourceware.org/ml/bzip2-devel/2019-q2/msg00035.html and continues at https://sourceware.org/ml/bzip2-devel/2019-q3/msg00003.html
SUSE-SU-2019:1846-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1139083 CVE References: CVE-2019-12900 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bzip2-1.0.6-5.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bzip2-1.0.6-5.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bzip2-1.0.6-5.6.1 SUSE Linux Enterprise Module for Basesystem 15 (src): bzip2-1.0.6-5.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14122-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1139083,985657 CVE References: CVE-2016-3189,CVE-2019-12900 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): bzip2-1.0.5-34.256.5.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): bzip2-1.0.5-34.256.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bzip2-1.0.5-34.256.5.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bzip2-1.0.5-34.256.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2019-07-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64321
openSUSE-SU-2019:1781-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1139083 CVE References: CVE-2019-12900 Sources used: openSUSE Leap 15.1 (src): bzip2-1.0.6-lp151.5.6.1 openSUSE Leap 15.0 (src): bzip2-1.0.6-lp150.4.6.1
SUSE-SU-2019:1955-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1139083,985657 CVE References: CVE-2016-3189,CVE-2019-12900 Sources used: SUSE OpenStack Cloud 8 (src): bzip2-1.0.6-30.5.1 SUSE OpenStack Cloud 7 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server 12-SP5 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server 12-SP4 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Desktop 12-SP5 (src): bzip2-1.0.6-30.5.1 SUSE Linux Enterprise Desktop 12-SP4 (src): bzip2-1.0.6-30.5.1 SUSE Enterprise Storage 5 (src): bzip2-1.0.6-30.5.1 SUSE Enterprise Storage 4 (src): bzip2-1.0.6-30.5.1 SUSE CaaS Platform 3.0 (src): bzip2-1.0.6-30.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
As Federico mentioned in comment 6, bzip2 upstream eventually addressed the bzip2 and (buggy) lbzip2 incompatibility in this patch: https://gitlab.com/federicomenaquintero/bzip2/commit/812a898b7622de90e98f103ff7fed0984e4548e4 It fixes CVE-2019-12900 security issue in a little bit different way that also fixes lbzip2 incompatibility. I updated the initial patch for CVE-2019-12900 and submitted again for all of our affected codestreams. For openSUSE:Factory it was fixed within the 1.0.8 version update.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2019-08-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64334
SUSE-SU-2019:2004-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1139083 CVE References: CVE-2019-12900 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bzip2-1.0.6-5.9.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bzip2-1.0.6-5.9.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bzip2-1.0.6-5.9.1 SUSE Linux Enterprise Module for Basesystem 15 (src): bzip2-1.0.6-5.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2013-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1139083 CVE References: CVE-2019-12900 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): bzip2-1.0.6-30.8.1 SUSE OpenStack Cloud 8 (src): bzip2-1.0.6-30.8.1 SUSE OpenStack Cloud 7 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server 12-SP5 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server 12-SP4 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Desktop 12-SP5 (src): bzip2-1.0.6-30.8.1 SUSE Linux Enterprise Desktop 12-SP4 (src): bzip2-1.0.6-30.8.1 SUSE Enterprise Storage 5 (src): bzip2-1.0.6-30.8.1 SUSE Enterprise Storage 4 (src): bzip2-1.0.6-30.8.1 SUSE CaaS Platform 3.0 (src): bzip2-1.0.6-30.8.1 HPE Helion Openstack 8 (src): bzip2-1.0.6-30.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14139-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1139083 CVE References: CVE-2019-12900 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): bzip2-1.0.5-34.256.8.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): bzip2-1.0.5-34.256.8.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bzip2-1.0.5-34.256.8.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): bzip2-1.0.5-34.256.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1918-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1139083 CVE References: CVE-2019-12900 Sources used: openSUSE Leap 15.1 (src): bzip2-1.0.6-lp151.5.9.1 openSUSE Leap 15.0 (src): bzip2-1.0.6-lp150.4.9.1
SUSE-SU-2019:2013-2: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1139083 CVE References: CVE-2019-12900 Sources used: SUSE Enterprise Storage 5 (src): bzip2-1.0.6-30.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done