[FLSA-2005:158801] Updated bzip2 packages fix security issues

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [FLSA-2005:158801] Updated bzip2 packages fix security issues
From: Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
Date: Mon, 14 Nov 2005 19:57:20 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated bzip2 packages fix security issues
Advisory ID:       FLSA:158801
Issue date:        2005-11-14
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CVE-2005-0758 CVE-2005-0953 CVE-2005-1260
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated bzip2 packages that fix multiple issues are now available.

Bzip2 is a data compressor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way bzgrep processes file names. If a user can be
tricked into running bzgrep on a file with a carefully crafted file
name, arbitrary commands could be executed as the user running bzgrep.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0758 to this issue.

A bug was found in the way bzip2 modifies file permissions during
decompression. If an attacker has write access to the directory into
which bzip2 is decompressing files, it is possible for them to modify
permissions on files owned by the user running bzip2 (CVE-2005-0953).

A bug was found in the way bzip2 decompresses files. It is possible for
an attacker to create a specially crafted bzip2 file which will cause
bzip2 to cause a denial of service (by filling disk space) if
decompressed by a victim (CVE-2005-1260).

Users of Bzip2 should upgrade to these updated packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158801

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-1.0.2-2.2.73.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-1.0.2-8.1.90.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-1.0.2-10.1.fc1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-devel-1.0.2-10.1.fc1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-libs-1.0.2-10.1.fc1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-1.0.2-12.2.fc2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-devel-1.0.2-12.2.fc2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-libs-1.0.2-12.2.fc2.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

2d0d5267210ceefd6e2ed80187c2f6e3d994e4a0
redhat/7.3/updates/i386/bzip2-1.0.2-2.2.73.legacy.i386.rpm
e661f6bf518498c375918577fc3414978a190d78
redhat/7.3/updates/i386/bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm
0c1bd4a4472ca70183b104438db1a9ef98db4969
redhat/7.3/updates/i386/bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm
f146cb7edfa74345c42831f24cb95c7898db3064
redhat/7.3/updates/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm
36b3b8abb700fe93d14064ce22176ed59aef0b9b
redhat/9/updates/i386/bzip2-1.0.2-8.1.90.legacy.i386.rpm
3ce61caa59d4c9a90e2412ebd5bae76500e4e462
redhat/9/updates/i386/bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm
905c29052192f032dac84be0860013837b65f8d4
redhat/9/updates/i386/bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm
bdbf201ea36551c1f5eacff3707656fd5e099c75
redhat/9/updates/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm
56b7883ada43718a80577ddcbdbc8bc24072765d
fedora/1/updates/i386/bzip2-1.0.2-10.1.fc1.legacy.i386.rpm
472cee03d32c68e0a0feba56a265c42d208ea5d4
fedora/1/updates/i386/bzip2-devel-1.0.2-10.1.fc1.legacy.i386.rpm
94abc962a1b84373813c558d4d3d44993722bb16
fedora/1/updates/i386/bzip2-libs-1.0.2-10.1.fc1.legacy.i386.rpm
7ce97f2488338b9d0e4b136b63c04e80c7a27394
fedora/1/updates/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm
c2821d2326bdff302a8b38ab6baec2930da4ca6b
fedora/2/updates/i386/bzip2-1.0.2-12.2.fc2.legacy.i386.rpm
d1ba1f61d62970f0d97af8813956771b471fbc81
fedora/2/updates/i386/bzip2-devel-1.0.2-12.2.fc2.legacy.i386.rpm
c8cf989f3683f4313d4a0caf7695673f48e405e7
fedora/2/updates/i386/bzip2-libs-1.0.2-12.2.fc2.legacy.i386.rpm
1ac418e19c22613a3cc4d71ee304a9d304af50e6
fedora/2/updates/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1260

9. Contact:

The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

Attachment: signature.asc
Description: OpenPGP digital signature

Prev by Date: [FS-05-02] Multiple vulnerabilities in phpMyAdmin
Next by Date: Three years and ten months without a patch
Previous by thread: [FS-05-02] Multiple vulnerabilities in phpMyAdmin
Next by thread: Three years and ten months without a patch
Index(es):
- Date
- Thread