Background Print only logo
Cert logo
suomeksi | på svenska
Home Page | Advice | Reports | Activities |


P.O. Box 313
FI-00181 Helsinki
Phone: +358 295 390 230 (lnf/mcf)

PGP keys

Finnish Communications Regulatory Authority (FICORA):

Itämerenkatu 3 A
P. O. Box 313
Phone: +358 259 390 100 (lnf/mcf)

Detailed contact information

Home Page > Reports > 2010 > CERT-FI Advisory on bzip2

CERT-FI Advisory on bzip2

Target - servers and server applications
- workstations and end user applications

Access Vector - remote

Impact - potential code execution
- denial of service

Remediation - fix provided by vendor


A vulnerability has been found in the BZ2_decompress function of bzip2. The vulnerability allows an attacker to cause a denial of service or potentially to execute arbitrary code on the target system by tempting a user to open a maliciously crafted bzip2 archive.

CERT-FI coordinated the remediation effort of the vulnerability

Vulnerability Coordination Information and Acknowledgements

The vulnerability was found by Mikolaj Izdebski. CERT-FI has coordinated the release of these vulnerabilities between the vulnerability researcher and the affected vendors. CERT-FI would like to thank the researcher, the bzip2 project and application vendors for co-operation in the remediation efforts.

Vendor Information

  • bzip2/libbzip2 before version 1.0.6
  • This new engine with the version has the issues fixed, with the aepack.dll in version
  • Fixed in version 0.96.3.


  • We have released a fixed version of our scan engine with our regular database update. Fixed versions are as follows: Database version: Scan engine version:


Install either the latest version of bzip2/libbzip2 ( or a fixed version of the software provided by your operating system or application vendor.




Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Please quote the advisory reference [FICORA #408516] in the subject line

+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Vulnerability Coordination
P.O. Box 313
FI-00181 Helsinki

CERT-FI encourages those who wish to communicate via email to make use
of our PGP key. The key is available at

The CERT-FI vulnerability coordination policy can be viewed at

Revision History

20 Sep 2010, 13:45 UTC: Published
21 Sep 2010, 08:22 UTC: Added vendor statements for Avira, ClamAV and Virusbuster. Added linux distribution advisory references.
22 Sep 2010, 06:08 UTC: Added Slackware to Linux distros

Page updated 18.10.2010   Print version Print version