--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated bzip2 packages fix security issues Advisory ID: FLSA:158801 Issue date: 2005-11-14 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0758 CVE-2005-0953 CVE-2005-1260 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated bzip2 packages that fix multiple issues are now available. Bzip2 is a data compressor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way bzgrep processes file names. If a user can be tricked into running bzgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running bzgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way bzip2 modifies file permissions during decompression. If an attacker has write access to the directory into which bzip2 is decompressing files, it is possible for them to modify permissions on files owned by the user running bzip2 (CVE-2005-0953). A bug was found in the way bzip2 decompresses files. It is possible for an attacker to create a specially crafted bzip2 file which will cause bzip2 to cause a denial of service (by filling disk space) if decompressed by a victim (CVE-2005-1260). Users of Bzip2 should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158801 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-1.0.2-2.2.73.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-1.0.2-8.1.90.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-1.0.2-10.1.fc1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-devel-1.0.2-10.1.fc1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-libs-1.0.2-10.1.fc1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-1.0.2-12.2.fc2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-devel-1.0.2-12.2.fc2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-libs-1.0.2-12.2.fc2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 2d0d5267210ceefd6e2ed80187c2f6e3d994e4a0 redhat/7.3/updates/i386/bzip2-1.0.2-2.2.73.legacy.i386.rpm e661f6bf518498c375918577fc3414978a190d78 redhat/7.3/updates/i386/bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm 0c1bd4a4472ca70183b104438db1a9ef98db4969 redhat/7.3/updates/i386/bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm f146cb7edfa74345c42831f24cb95c7898db3064 redhat/7.3/updates/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm 36b3b8abb700fe93d14064ce22176ed59aef0b9b redhat/9/updates/i386/bzip2-1.0.2-8.1.90.legacy.i386.rpm 3ce61caa59d4c9a90e2412ebd5bae76500e4e462 redhat/9/updates/i386/bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm 905c29052192f032dac84be0860013837b65f8d4 redhat/9/updates/i386/bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm bdbf201ea36551c1f5eacff3707656fd5e099c75 redhat/9/updates/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm 56b7883ada43718a80577ddcbdbc8bc24072765d fedora/1/updates/i386/bzip2-1.0.2-10.1.fc1.legacy.i386.rpm 472cee03d32c68e0a0feba56a265c42d208ea5d4 fedora/1/updates/i386/bzip2-devel-1.0.2-10.1.fc1.legacy.i386.rpm 94abc962a1b84373813c558d4d3d44993722bb16 fedora/1/updates/i386/bzip2-libs-1.0.2-10.1.fc1.legacy.i386.rpm 7ce97f2488338b9d0e4b136b63c04e80c7a27394 fedora/1/updates/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm c2821d2326bdff302a8b38ab6baec2930da4ca6b fedora/2/updates/i386/bzip2-1.0.2-12.2.fc2.legacy.i386.rpm d1ba1f61d62970f0d97af8813956771b471fbc81 fedora/2/updates/i386/bzip2-devel-1.0.2-12.2.fc2.legacy.i386.rpm c8cf989f3683f4313d4a0caf7695673f48e405e7 fedora/2/updates/i386/bzip2-libs-1.0.2-12.2.fc2.legacy.i386.rpm 1ac418e19c22613a3cc4d71ee304a9d304af50e6 fedora/2/updates/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1260 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature