Bugtraq mailing list archives
[OpenPKG-SA-2005.008] OpenPKG Security Advisory (bzip2)
From: OpenPKG <openpkg () openpkg org>
Date: Fri, 10 Jun 2005 22:42:11 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security () openpkg org openpkg () openpkg org OpenPKG-SA-2005.008 10-Jun-2005 ________________________________________________________________________ Package: bzip2 Vulnerability: arbitrary file mode modification, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506 <= analog-6.0-20041220 >= analog-6.0-20050608 OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1 <= analog-6.0-2.3.0 >= analog-6.0-2.3.1 OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg imagemagick libarchive perl-comp perl-mail pgpdump php::with_bzip2 php5::with_bzip2 python::with_bzip2 r rzip OpenPKG 2.3 apache::with_mod_php_bzip2 clamav gnupg imagemagick perl-comp perl-mail php::with_bzip2 php5::with_bzip2 OpenPKG 2.2 apache::with_mod_php_bzip2 clamav imagemagick perl-comp perl-mail php::with_bzip2 Description: According to a BugTraq posting [0], Imran Ghory discovered a time of check time of use (TOCTOU) file mode vulnerability in the BZip2 data compressor [1]. Because bzip2(1) does not safely restore the mode of a file undergoing compression or decompression, a malicious user can potentially change the mode of any file belonging to the user running bzip2(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0953 [2] to this problem. In a unrelated case, a denial of service vulnerability was found in both the bzip2(1) program and its associated library libbz2(3). Specially crafted BZip2 archives lead to an infinite loop in the decompressor which results in an indefinitively large output file. This could be exploited to cause disk space exhaustion. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [3] to this problem. Because the OpenPKG bootstrap package embeds BZip2, it is affected as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. Please check whether you are affected by running "<prefix>/bin/openpkg rpm -q bzip2". If you have the "bzip2" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and any dependent packages as well [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.3/UPD ftp> get bzip2-1.0.2-2.3.1.src.rpm ftp> bye $ <prefix>/bin/openpkg rpm -v --checksig bzip2-1.0.2-2.3.1.src.rpm $ <prefix>/bin/openpkg rpm --rebuild bzip2-1.0.2-2.3.1.src.rpm $ su - # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages (see above) as well [5][6]. The "openpkg build" tool can be instrumental in consistently updating and securing the entire OpenPKG instance. ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 [1] http://www.bzip.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 [4] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.2/UPD/bzip2-1.0.2-2.2.1.src.rpm [9] ftp://ftp.openpkg.org/release/2.3/UPD/ [10] ftp://ftp.openpkg.org/release/2.2/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg () openpkg org> iD8DBQFCqfsRgHWT4GPEy58RAlK8AJwJrHocGaqSJyF3B0K32CygMRevsQCfRCx6 Wk2ihwlYtsP5vSk5sIm9E6g= =RvKk -----END PGP SIGNATURE-----
Current thread:
- [OpenPKG-SA-2005.008] OpenPKG Security Advisory (bzip2) OpenPKG (Jun 13)