[OpenPKG-SA-2005.008] OpenPKG Security Advisory (bzip2)

[OpenPKG <openpkg () openpkg org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security () openpkg org                         openpkg () openpkg org
OpenPKG-SA-2005.008                                          10-Jun-2005
________________________________________________________________________

Package:             bzip2
Vulnerability:       arbitrary file mode modification, denial of service
OpenPKG Specific:    no

Affected Releases:   Affected Packages:           Corrected Packages:
OpenPKG CURRENT      <= bzip2-1.0.2-20050324      >= bzip2-1.0.3-20050506
                     <= analog-6.0-20041220       >= analog-6.0-20050608
OpenPKG 2.3          <= bzip2-1.0.2-2.3.0         >= bzip2-1.0.2-2.3.1
                     <= analog-6.0-2.3.0          >= analog-6.0-2.3.1
OpenPKG 2.2          <= bzip2-1.0.2-2.2.0         >= bzip2-1.0.2-2.2.1

Affected Releases:   Dependent Packages:
OpenPKG CURRENT      apache::with_mod_php_bzip2 bsdtar clamav gnupg
                     imagemagick libarchive perl-comp perl-mail pgpdump
                     php::with_bzip2 php5::with_bzip2 python::with_bzip2
                     r rzip
OpenPKG 2.3          apache::with_mod_php_bzip2 clamav gnupg imagemagick
                     perl-comp perl-mail php::with_bzip2 php5::with_bzip2
OpenPKG 2.2          apache::with_mod_php_bzip2 clamav imagemagick
                     perl-comp perl-mail php::with_bzip2

Description:
  According to a BugTraq posting [0], Imran Ghory discovered a time
  of check time of use (TOCTOU) file mode vulnerability in the BZip2
  data compressor [1]. Because bzip2(1) does not safely restore the
  mode of a file undergoing compression or decompression, a malicious
  user can potentially change the mode of any file belonging to the
  user running bzip2(1). The Common Vulnerabilities and Exposures (CVE)
  project assigned the identifier CAN-2005-0953 [2] to this problem.

  In a unrelated case, a denial of service vulnerability was found
  in both the bzip2(1) program and its associated library libbz2(3).
  Specially crafted BZip2 archives lead to an infinite loop in the
  decompressor which results in an indefinitively large output file.
  This could be exploited to cause disk space exhaustion. The Common
  Vulnerabilities and Exposures (CVE) project assigned the identifier
  CAN-2005-1260 [3] to this problem.

  Because the OpenPKG bootstrap package embeds BZip2, it is affected as
  well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4].

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q bzip2". If you have the "bzip2" package installed and its
  version is affected (see above), we recommend that you immediately
  upgrade it (see Solution) and any dependent packages as well [5][6].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
  location, verify its integrity [11], build a corresponding binary
  RPM from it [5] and update your OpenPKG installation by applying the
  binary RPM [6]. For the most recent release OpenPKG 2.3, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.3/UPD
  ftp> get bzip2-1.0.2-2.3.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig bzip2-1.0.2-2.3.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild bzip2-1.0.2-2.3.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm

  We recommend that you rebuild and reinstall any dependent packages
  (see above) as well [5][6]. The "openpkg build" tool can be
  instrumental in consistently updating and securing the entire OpenPKG
  instance.
________________________________________________________________________

References:
  [0]  http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633
  [1]  http://www.bzip.org/
  [2]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953
  [3]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260
  [4]  http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html
  [5]  http://www.openpkg.org/tutorial.html#regular-source
  [6]  http://www.openpkg.org/tutorial.html#regular-binary
  [7]  ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3.1.src.rpm
  [8]  ftp://ftp.openpkg.org/release/2.2/UPD/bzip2-1.0.2-2.2.1.src.rpm
  [9]  ftp://ftp.openpkg.org/release/2.3/UPD/
  [10] ftp://ftp.openpkg.org/release/2.2/UPD/
  [11] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>

iD8DBQFCqfsRgHWT4GPEy58RAlK8AJwJrHocGaqSJyF3B0K32CygMRevsQCfRCx6
Wk2ihwlYtsP5vSk5sIm9E6g=
=RvKk
-----END PGP SIGNATURE-----