out-of-bounds write when there are many bzip2 selectors
A malicious bzip2 payload may produce a memory corruption resulting in a denial of service and/or remote code execution. Network services or command line utilities decompressing untrusted bzip2 payloads are affected.
Note that the exploitation of this bug relies on an undefined behavior that appears to be handled safely by current compilers.
The Haskell libraires are vulnerable when they are built using the bundled C library source code, which is the default in most cases.
Info
- Published
- March 11, 2024
- Modified
- March 11, 2024
- CAPECs
- < none >
- CWEs
- 787
- Keywords
- corruption, vendored-code, language-c
- Aliases
- CVE-2019-12900
- Related
- < none >
- References
- [DISCUSSION] https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/
- [DISCUSSION] http://scary.beasts.org/security/CESA-2008-005.html
- [ADVISORY] https://access.redhat.com/security/cve/cve-2019-12900
- [FIX] https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184
Affected
bzlib
- CVSS
- CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Versions
>=0.4 && <0.5.2.0- Declarations
- < none >
bz2
- CVSS
- CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Versions
>=0.1.0.0 && <1.0.1.1- Declarations
- < none >
bzlib-conduit
- CVSS
- CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Versions
>=0.1.0.0 && <0.3.0.3- Declarations
- < none >