CERT-FI Advisory on bzip2

Details

A vulnerability has been found in the BZ2_decompress function of bzip2. The vulnerability allows an attacker to cause a denial of service or potentially to execute arbitrary code on the target system by tempting a user to open a maliciously crafted bzip2 archive.

CERT-FI coordinated the remediation effort of the vulnerability

Vulnerability Coordination Information and Acknowledgements

The vulnerability was found by Mikolaj Izdebski. CERT-FI has coordinated the release of these vulnerabilities between the vulnerability researcher and the affected vendors. CERT-FI would like to thank the researcher, the bzip2 project and application vendors for co-operation in the remediation efforts.

Vendor Information

• bzip2/libbzip2 before version 1.0.6

Avira

• This new engine with the version 8.02.04.58 has the issues fixed, with the aepack.dll in version 8.2.3.7.

ClamAV

• Fixed in version 0.96.3.
  

Virusbuster

• We have released a fixed version of our scan engine with our regular database update. Fixed versions are as follows: Database version: 12.64.14.1 Scan engine version: 5.1.1.14

Remediation

Install either the latest version of bzip2/libbzip2 (http://www.bzip.org/) or a fixed version of the software provided by your operating system or application vendor.

References

Bzip2

• http://www.bzip.org/
• http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.600240
• http://www.ubuntu.com/usn/usn-986-1
• http://www.debian.org/security/2010/dsa-211
• http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:1852
• https://rhn.redhat.com/errata/RHSA-2010-0703.html
• http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc

ClamAV

• http://www.clamav.net/lang/en/
• http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=master
• http://www.ubuntu.com/usn/usn-986-2

General

• CVE-2010-0405
  

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #408516] in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use
of our PGP key. The key is available at

https://www.cert.fi/en/activities/contact/pgp-keys.html

The CERT-FI vulnerability coordination policy can be viewed at

https://www.cert.fi/en/activities/Vulncoord/vulncoord-policy.html.

Revision History

20 Sep 2010, 13:45 UTC: Published
21 Sep 2010, 08:22 UTC: Added vendor statements for Avira, ClamAV and Virusbuster. Added linux distribution advisory references.
22 Sep 2010, 06:08 UTC: Added Slackware to Linux distros

Page updated 18.10.2010

Print version