[Git][security-tracker-team/security-tracker][master] Update entry for CVE-2019-12900/bzip2

Salvatore Bonaccorso carnil at debian.org
Tue Jul 9 21:31:48 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c6211c24 by Salvatore Bonaccorso at 2019-07-09T20:31:17Z
Update entry for CVE-2019-12900/bzip2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1413,7 +1413,13 @@ CVE-2019-12901 (Pydio Cells before 1.5.0 fails to neutralize '../' elements, all
 CVE-2019-12900 (BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bo ...)
 	{DLA-1833-1}
 	- bzip2 1.0.6-9.1 (bug #930886)
+	[stretch] - bzip2 <no-dsa> (Not exploitable; potential dangerous parts already guarded)
 	NOTE: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
+	NOTE: The original fix introduces regressions when extracting certain lbzip2 files
+	NOTE: which were created with a buggy libzip2: https://bugs.debian.org/931278
+	NOTE: Details on followup: https://sourceware.org/ml/bzip2-devel/2019-q3/msg00007.html
+	NOTE: explaining as well why, whilst the issue described by CVE-2019-12900 is definitvely
+	NOTE: an issue, it was not exploitable in the first place.
 CVE-2019-12899 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...)
 	NOT-FOR-US: Delta Electronics DeviceNet Builder
 CVE-2019-12898 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6211c24c5bedb19a41fcec9998163e858833657

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6211c24c5bedb19a41fcec9998163e858833657
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190709/9d105817/attachment.html>

More information about the debian-security-tracker-commits mailing list