Lucene search

K
gentooGentoo FoundationGLSA-200804-02
HistoryApr 02, 2008 - 12:00 a.m.

bzip2: Denial of service

2008-04-0200:00:00
Gentoo Foundation
security.gentoo.org
22

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

EPSS

0.097

Percentile

94.8%

Background

bzip2 is a free and open source lossless data compression program.

Description

The Oulu University discovered that bzip2 does not properly check offsets provided by the bzip2 file, leading to a buffer overread.

Impact

Remote attackers can entice a user or automated system to open a specially crafted file that triggers a buffer overread, causing a Denial of Service. libbz2 and programs linking against it are also affected.

Workaround

There is no known workaround at this time.

Resolution

All bzip2 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-arch/bzip2-1.0.5"
OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-arch/bzip2< 1.0.5UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

EPSS

0.097

Percentile

94.8%