Synopsis

bzip2 security update

Type/Severity

Security Advisory: Low

Topic

Updated bzip2 packages that fix multiple issues are now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

[Updated 13 February 2006]
Replacement bzip2 packages for Red Hat Enterprise Linux 4 have been created
as the original erratum packages did not fix CVE-2005-0758.

Description

Bzip2 is a data compressor.

A bug was found in the way bzgrep processes file names. If a user can be
tricked into running bzgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running bzgrep. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CVE-2005-0758 to this issue.

A bug was found in the way bzip2 modifies file permissions during
decompression. If an attacker has write access to the directory into which
bzip2 is decompressing files, it is possible for them to modify permissions
on files owned by the user running bzip2 (CVE-2005-0953).

A bug was found in the way bzip2 decompresses files. It is possible for an
attacker to create a specially crafted bzip2 file which will cause bzip2 to
cause a denial of service (by filling disk space) if decompressed by a
victim (CVE-2005-1260).

Users of Bzip2 should upgrade to these updated packages, which contain
backported patches to correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Server 3 x86_64
• Red Hat Enterprise Linux Server 3 ia64
• Red Hat Enterprise Linux Server 3 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Workstation 3 x86_64
• Red Hat Enterprise Linux Workstation 3 ia64
• Red Hat Enterprise Linux Workstation 3 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux Desktop 3 x86_64
• Red Hat Enterprise Linux Desktop 3 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for IBM z Systems 3 s390x
• Red Hat Enterprise Linux for IBM z Systems 3 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc
• Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

• BZ - 155742 - CAN-2005-0953 bzip2 race condition
• BZ - 157548 - CAN-2005-1260 bzip2 decompression bomb (DoS)
• BZ - 159816 - CVE-2005-0758 bzgrep has security issue in sed usage

CVEs

• CVE-2005-0758
• CVE-2005-0953
• CVE-2005-1260

References

• http://scary.beasts.org/security/CESA-2005-002.txt

Red Hat Enterprise Linux Server 4

SRPM
bzip2-1.0.2-13.EL4.3.src.rpm	SHA-256: 6fba898e0f8d64beceb230bc653d85e259b5382014438d3289d5126c8b89b581
x86_64
bzip2-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 443e3fdd0b2ad1720f4bbf14511ce0e90aad8d6681e801e3c5e5d1e8c7f625f7
bzip2-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 443e3fdd0b2ad1720f4bbf14511ce0e90aad8d6681e801e3c5e5d1e8c7f625f7
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-devel-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 0ce8c8d4b984e51a0786d1629bfec698f6d7fea0474ad2d95e5fde053e569647
bzip2-devel-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 0ce8c8d4b984e51a0786d1629bfec698f6d7fea0474ad2d95e5fde053e569647
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: dd72968f34b9e949b17302dc593d1d00f67814e77f0a5df25a0bd59cf7c5c2c5
bzip2-libs-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: dd72968f34b9e949b17302dc593d1d00f67814e77f0a5df25a0bd59cf7c5c2c5
ia64
bzip2-1.0.2-13.EL4.3.ia64.rpm	SHA-256: b3a6f9b4a9622de14afe94f612d68c3cac66a55207f854e06b6894ef4a24aa3e
bzip2-1.0.2-13.EL4.3.ia64.rpm	SHA-256: b3a6f9b4a9622de14afe94f612d68c3cac66a55207f854e06b6894ef4a24aa3e
bzip2-devel-1.0.2-13.EL4.3.ia64.rpm	SHA-256: feaae345b0f0e0884750fc400716c2ff98c1c174efb8d7134736235e6412f000
bzip2-devel-1.0.2-13.EL4.3.ia64.rpm	SHA-256: feaae345b0f0e0884750fc400716c2ff98c1c174efb8d7134736235e6412f000
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.ia64.rpm	SHA-256: 73c2ae12d61b44851fac022557983126aff47ff110ee3e8a4b819a4863d9ed14
bzip2-libs-1.0.2-13.EL4.3.ia64.rpm	SHA-256: 73c2ae12d61b44851fac022557983126aff47ff110ee3e8a4b819a4863d9ed14
i386
bzip2-1.0.2-13.EL4.3.i386.rpm	SHA-256: d333513c4ed288d6342e5b00d64c746b6ef76ebfba7ad4d5af825b4acdbc8d70
bzip2-1.0.2-13.EL4.3.i386.rpm	SHA-256: d333513c4ed288d6342e5b00d64c746b6ef76ebfba7ad4d5af825b4acdbc8d70
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6

Red Hat Enterprise Linux Workstation 4

SRPM
bzip2-1.0.2-13.EL4.3.src.rpm	SHA-256: 6fba898e0f8d64beceb230bc653d85e259b5382014438d3289d5126c8b89b581
x86_64
bzip2-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 443e3fdd0b2ad1720f4bbf14511ce0e90aad8d6681e801e3c5e5d1e8c7f625f7
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-devel-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 0ce8c8d4b984e51a0786d1629bfec698f6d7fea0474ad2d95e5fde053e569647
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: dd72968f34b9e949b17302dc593d1d00f67814e77f0a5df25a0bd59cf7c5c2c5
ia64
bzip2-1.0.2-13.EL4.3.ia64.rpm	SHA-256: b3a6f9b4a9622de14afe94f612d68c3cac66a55207f854e06b6894ef4a24aa3e
bzip2-devel-1.0.2-13.EL4.3.ia64.rpm	SHA-256: feaae345b0f0e0884750fc400716c2ff98c1c174efb8d7134736235e6412f000
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.ia64.rpm	SHA-256: 73c2ae12d61b44851fac022557983126aff47ff110ee3e8a4b819a4863d9ed14
i386
bzip2-1.0.2-13.EL4.3.i386.rpm	SHA-256: d333513c4ed288d6342e5b00d64c746b6ef76ebfba7ad4d5af825b4acdbc8d70
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6

Red Hat Enterprise Linux Desktop 4

SRPM
bzip2-1.0.2-13.EL4.3.src.rpm	SHA-256: 6fba898e0f8d64beceb230bc653d85e259b5382014438d3289d5126c8b89b581
x86_64
bzip2-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 443e3fdd0b2ad1720f4bbf14511ce0e90aad8d6681e801e3c5e5d1e8c7f625f7
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-devel-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: 0ce8c8d4b984e51a0786d1629bfec698f6d7fea0474ad2d95e5fde053e569647
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6
bzip2-libs-1.0.2-13.EL4.3.x86_64.rpm	SHA-256: dd72968f34b9e949b17302dc593d1d00f67814e77f0a5df25a0bd59cf7c5c2c5
i386
bzip2-1.0.2-13.EL4.3.i386.rpm	SHA-256: d333513c4ed288d6342e5b00d64c746b6ef76ebfba7ad4d5af825b4acdbc8d70
bzip2-devel-1.0.2-13.EL4.3.i386.rpm	SHA-256: 482717e17122d4ff2bd3f843d90a9a6fff89dd2f1d9fd250c319fa6f075c4fe5
bzip2-libs-1.0.2-13.EL4.3.i386.rpm	SHA-256: 653fba8d79b6fede3853f643fb84a5ffee6c2203016046d5f5708a2c15b7d0f6

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
bzip2-1.0.2-13.EL4.3.src.rpm	SHA-256: 6fba898e0f8d64beceb230bc653d85e259b5382014438d3289d5126c8b89b581
s390x
bzip2-1.0.2-13.EL4.3.s390x.rpm	SHA-256: 316c48259b6663acfa9471ff4c8de7554d1bbd8616f7399c181bbeaf1234d9de
bzip2-devel-1.0.2-13.EL4.3.s390.rpm	SHA-256: f2fa6a20272ca6599c1c764f3309421ce2c5d1513c18ba14707db064003cf25a
bzip2-devel-1.0.2-13.EL4.3.s390x.rpm	SHA-256: a2bd746f8f60a4d43b0aec8a07c253a23e0cb0fa9cb28a4176ba15e5e82736f0
bzip2-libs-1.0.2-13.EL4.3.s390.rpm	SHA-256: 4ec40bd78ce2272bcbc2d4fe96d004236b1645c69e3534f73bfd92456938650f
bzip2-libs-1.0.2-13.EL4.3.s390x.rpm	SHA-256: a68c31e70f65107c7c86ebe75c59f8859d755bccc8001a39c4bfa2264b58fc2e
s390
bzip2-1.0.2-13.EL4.3.s390.rpm	SHA-256: eb7ebc7a7040fc866794e313f433d00881e959c298b169eb0c657bcb20cc8532
bzip2-devel-1.0.2-13.EL4.3.s390.rpm	SHA-256: f2fa6a20272ca6599c1c764f3309421ce2c5d1513c18ba14707db064003cf25a
bzip2-libs-1.0.2-13.EL4.3.s390.rpm	SHA-256: 4ec40bd78ce2272bcbc2d4fe96d004236b1645c69e3534f73bfd92456938650f

Red Hat Enterprise Linux for Power, big endian 4

SRPM
bzip2-1.0.2-13.EL4.3.src.rpm	SHA-256: 6fba898e0f8d64beceb230bc653d85e259b5382014438d3289d5126c8b89b581
ppc
bzip2-1.0.2-13.EL4.3.ppc.rpm	SHA-256: 33e76278632b703ae09abdcc678f66dff0adc0b4c4c5a44152394843bbbcb2db
bzip2-devel-1.0.2-13.EL4.3.ppc.rpm	SHA-256: e230476da6e3e9ea90825c85193827618d268ce67de3cafaa89554547de2622b
bzip2-libs-1.0.2-13.EL4.3.ppc.rpm	SHA-256: d020a2a5607cb548e0cf03c07b10d6064375081c889475f9af2a656aa6e68e0c
bzip2-libs-1.0.2-13.EL4.3.ppc64.rpm	SHA-256: 483bf87f6609e2dd0d196761345004a8e19e605d41402e63a881d859b1465ddf