bzip2 (CAN-2005-1260)
Ken Moffat
ken at linuxfromscratch.org
Fri Dec 2 07:22:03 MST 2005
On Fri, 2 Dec 2005, gohai at gmx.net wrote:
> I know it's already some months old, but isn't this issue still valid for
> lfs-svn?
>
> thanks
> Gottfried Haider
>
A quick google suggests that distros patched their versions of
bzip2-1.0.{1,2}, and RH at least said their patch was a backport.
The latest version of bzip2 from fedora that I can find is 1.0.2-16. I
assume that the problem is the one fixed by the "bomb" patch within
that, which we are already using.
Having said that, I'm not aware of a publically-accessible bzip2
development tree, so I might be wrong. The fedora specfile doesn't
mention this vulnerability number. Ubuntu does mention this number for
1.0.2, but I'm unclear which of their patches fix it, and I don't always
trust their analysis. The only "big guys" using 1.0.3 seem to be
gentoo, and they don't mention this as far as I can see.
Ken
--
das eine Mal als Tragödie, das andere Mal als Farce
More information about the lfs-security
mailing list