Forum: >>> Magnum BBS <<<

[SECURITY] [DSA-2112-1] New bzip2 packages fix integer overflow (1/3)

From Stefan Fritsch@1:229/2 to All on Mon Sep 20 13:10:02 2010

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-2112-1 [email protected] http://www.debian.org/security/ Stefan Fritsch September 20, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : bzip2
Vulnerability : integer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2010-0405

Mikolaj Izdebski has discovered an integer overflow flaw in the
BZ2_decompress function in bzip2/libbz2. An attacker could use a
crafted bz2 file to cause a denial of service (application crash)
or potentially to execute arbitrary code. (CVE-2010-0405)

After the upgrade, all running services that use libbz2 need to be
restarted.

This update also provides rebuilt dpkg packages, which are statically
linked to the fixed version of libbz2. Updated packages for clamav,
which is also affected by this issue, will be provided on debian-volatile.

For the stable distribution (lenny), these problems have been fixed in
version 1.0.4-1+lenny1.

For the testing distribution (squeeze) and the unstable distribution (sid), this problem in bzip2 will be fixed soon. Updated dpkg packages are not necessary for testing/unstable.

We recommend that you upgrade your bzip2 / dpkg packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

After having upgraded the package, you need to restart all processes using libbz2. The script checkrestart from the debian-goodies package or lsof
may help to find out which processes are still using the old libbz2.

Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.5-1+lenny1.diff.gz
Size/MD5 checksum: 74478 9ec5bb67e5f6c99b5b6f352912b3e579
http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.5-1+lenny1.dsc
Size/MD5 checksum: 1268 49148e873a1a034bcf7b3f1ab0270d3c
http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.5.orig.tar.gz
Size/MD5 checksum: 841402 3c15a0c8d1d3ee1c46a1634d00617b1a

Architecture independent packages:

http://security.debian.org/pool/updates/main/b/bzip2/bzip2-doc_1.0.5-1+lenny1_all.deb
Size/MD5 checksum: 328678 2eb7e29774ee00081f4d7610a8304484

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.5-1+lenny1_alpha.deb
Size/MD5 checksum: 49094 e9ae3d734f06e81953515f60fba0ce8a
http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.5-1+lenny1_alpha.deb
Size/MD5 checksum: 51538 deeb65ca6c5d16eae0f25057671a54dc
http://security.debian.org/pool/updates/main/d/dpkg/dselect_1.14.29+b1_alpha.deb
Size/MD5 checksum: 814294 9b64639e393ffde20280d6a48c7dba08
http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.5-1+lenny1_alpha.deb
Size/MD5 checksum: 41098 3913d07da04ab37e6561f5746024348e
http://security.debian.org/pool/updates/main/d/dpkg/dpkg_1.14.29+b1_alpha.deb
Size/MD5 checksum: 2446208 d1cab263f3346ff47604c4aac1f5d59c

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.5-1+lenny1_amd64.deb
Size/MD5 checksum: 32890 d2c70ba262935a61a4c5951fd40a3c15
http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.5-1+lenny1_amd64.deb
Size/MD5 checksum: 47224 66fd25864d902b9d6bb8af141b19548d
http://security.debian.org/pool/updates/main/b/bzip2/lib32bz2-dev_1.0.5-1+lenny1_amd64.deb
Size/MD5 checksum: 29840 0c520207f7e657b6574cf4309f804863
http://security.debian.org/pool/updates/main/d/dpkg/dpkg_1.14.29+b1_amd64.deb
Size/MD5 checksum: 2400424 210a4a2ca529b99ab5e131158c402120
http://security.debian.org/pool/updates/main/d/dpkg/dselect_1.14.29+b1_amd64.deb
Size/MD5 checksum: 800290 9c350b1aa1bcafd18ad649b30ef8104f
http://security.debian.org/pool/updates/main/b/bzip2/lib32bz2-1.0_1.0.5-1+lenny1_amd64.deb
Size/MD5 checksum: 39346 0439e6a1dd28630012e5591d52ab4e1c
http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.5-1+lenny1_amd64.deb
Size/MD5 checksum: 44760 7eea90824b2614bb7764e416bbc3d1d4

arm architecture (ARM)

http://security.debian.org/pool/updates/main/d/dpkg/dselect_1.14.29+b1_arm.deb
Size/MD5 checksum: 798732 7309855fb75617b3130053b3273a1f8d
http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.5-1+lenny1_arm.deb
Size/MD5 checksum: 47126 7b0a40f9e501ee56b456f55834ae9f97
http://security.debian.org/pool/updates/main/d/dpkg/dpkg_1.14.29+b1_arm.deb
Size/MD5 checksum: 2364968 4178b286863ce2fdc493a6a08f38ed0a
http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.5-1+lenny1_arm.deb
Size/MD5 checksum: 37210 5d5cce29422604e1545810736f44a813
http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.5-1+lenny1_arm.deb
Size/MD5 checksum: 49306 5f857695483d509b4cd6c4fe0fdc14c9

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.5-1+lenny1_armel.deb
Size/MD5 checksum: 35564 151e6c92ab7ad53b1aef2fc4a9245bf9
http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.5-1+lenny1_armel.deb
Size/MD5 checksum: 49468 37b66c58308384f26b1cf87e2e2606fa
http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.5-1+lenny1_armel.deb
Size/MD5 checksum: 47950 2f74c036772104f65c0e797ed8172a97
http://security.debian.org/pool/updates/main/d/dpkg/dpkg_1.14.29+b1_armel.deb
Size/MD5 checksum: 2360910 5dbe217dc3632301839cc8be5bed3c2f
http://security.debian.org/pool/updates/main/d/dpkg/dselect_1.14.29+b1_armel.deb
Size/MD5 checksum: 796054 cc19f0a01b88de281a9ca5454d4a754b

hppa architecture (HP PA RISC)

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Centurion
  Sun Jun 7 16:59:51 2026
  from Berea, Ohio via Telnet
- Furryboy
  Sun Jun 7 13:40:29 2026
  from Romania, Galati via SSH
- Krenn
  Sun Jun 7 10:02:33 2026
  from Sydney, Nsw via Telnet
- Spearb0y
  Sun Jun 7 07:41:05 2026
  from Massachusetts via SSH
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	03:03:53
Calls:	12,098
Calls today:	6
Files:	15,003
Messages:	6,517,869

[SECURITY] [DSA-2112-1] New bzip2 packages fix integer overflow (1/3)

Who's Online

Recent Visitors

System Info