K15878 : bzip2 vulnerability CVE-2010-0405

Security Advisory Description

Description

Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file. (CVE-2010-0405)

Impact

This vulnerability may allow unauthorized users to disclose or modify information or allow a disruption of service.

Status

F5 Product Development has assigned ID 339396 (BIG-IP) and ID 474395 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Enterprise Manager| 2.1.0 - 2.3.0| 3.0.0 - 3.1.1| bzip2 utility
FirePass| None| 7.0.0
6.0.0 - 6.1.0| None
BIG-IQ Cloud| None
| 4.0.0 - 4.4.0
| None
BIG-IQ Device| None
| 4.2.0 - 4.4.0
| None
BIG-IQ Security| None
| 4.0.0 - 4.4.0
| None

Recommended action

BIG-IP and Enterprise Manager

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.

Supplemental Information

• K9970: Subscribing to email notifications regarding F5 products
• K9957: Creating a custom RSS feed to view new and updated documents
• K4602: Overview of the F5 security vulnerability response policy
• K4918: Overview of the F5 critical issue hotfix policy
• K167: Downloading software and firmware from F5