-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2010-007 ================================= Topic: Integer overflow in libbz2 decompression code Version: NetBSD-current: source prior to September 21, 2010 NetBSD 5.0: affected NetBSD 4.0.1: affected pkgsrc: bzip2 package prior to 1.0.6 Severity: potential remote DoS or code-injection attack Fixed: NetBSD-current: Sep 20, 2010 NetBSD-5 branch Sep 23, 2010 NetBSD-5-0 branch Sep 23, 2010 NetBSD-4 branch Sep 23, 2010 NetBSD-4-0 branch Sep 23, 2010 pkgsrc 2010Q2: bzip2-1.0.6 corrects this issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The bzip2/bunzip2 functions and the libbz2 library provide compression and decompression functionality similar to gzip/gunzip and libgzip but with better compression ratio and worse compression performance. The bug described in CVE-2010-0405 affects decompression and can cause a local or remote DoS attack or possible random code execution in a program that tries to decompress attacker controlled streams. Technical Details ================= There is an integer overflow in the bzip2 decompression code which can be used to cause a negative value to be used for a buffer size. The bzip code is also used in other derivative programs such as tar(1) and pax(1), so utilities using these programs can be affected. Solutions and Workarounds ========================= - - Patch, recompile, and re-install libbz2, restart all daemons possibly affected CVS branch file revision ------------- ---------------- -------- HEAD src/dist/bzip2/decompress.c 1.2 netbsd-5.0 src/dist/bzip2/decompress.c 1.1.1.3.12.1 netbsd-5 src/dist/bzip2/decompress.c 1.1.1.3.8.1 netbsd-4.0 src/dist/bzip2/decompress.c 1.1.1.2.28.2 netbsd-4 src/dist/bzip2/decompress.c 1.1.1.2.18.2 The following instructions briefly summarize how to update and recompile libbz2. In these instructions, replace: BRANCH with the appropriate CVS branch (from the above table) FILES with the file names for that branch (from the above table) To update from CVS, re-build, and re-install libbz2: # cd src # cvs update -d -P -r BRANCH FILES # cd lib/libbz2 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../rescue # make USETOOLS=no cleandir dependall # make USETOOLS=no install Alternatively, apply the following patch (with potential offset differences): http://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2010-007-libbz2.patch For more information on building (oriented towards rebuilding the entire system, however) see: http://www.netbsd.org/guide/en/chap-build.html Thanks To ========= Mikolaj Izdebski for finding and reporting the vulnerability. Christos Zoulas for fixing the problem. Revision History ================ 2010-09-27 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2010-007.txt,v 1.5 2010/10/07 17:16:37 spz Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJMrib1AAoJEAZJc6xMSnBujwkQAIH0g2QA8PJSNHBIKzfEarin /oCAi4bqTPRsWS3E7raKjP4U+rFrtU++F7DPhvgzWm4Z0fLuCfwIir/W1F+O8gaC FOaiSExnxbdQpUVEfPz7wT/G1jqZaeYEudx/dPlGDFCV7og34tE0QJXSdw+/ETyb j0t2yTh9i2y6PfmIIY0wKBfP7nysk//AV57kCH5lN1FntI8l98CoZkaWN+dId1w6 u/8n1cbQE6+kIc6dNnvJk5ceWFnKbrVp4CjXw8yfOY7dsS2xdn4SLl9Yj/RBB3sW o+Y0lcEVQ7xXZ5caMBSLhthrMxW5um0A3N52L6Ytoxi1O2+5Z0mrivT9/yTZ4WZF ktt+xZ2tcS2669l9wTZPUJA+pWYY59vhVd+WajavSTQDgES1MiiUfb9zAKGfUDx8 xGT5miLNGA1BBE06tZw8Axq0qCTu99lFEg4cufar8ORqd42ATrguKNBWQk9HazAP raB5Jya0XOsYjXoWkUWDHvylVhTuVpmPQC0E2nHShLvZW6NXcKCisuDa8oqxiBNk dAG4y11pJrHISBhH9GfOGUp3HlBmYOBX4NAWbCdhMBswDdbKWNQrHDoD1t9NeIG+ 60OhOCNN4A1W0lQQO4EpzAJGseUHZXNA9wP0WeBmDllM2C4GcL0O21YbIr6VMHJs GMPHK4KLZde/bnLJLJsR =zZ0X -----END PGP SIGNATURE-----