Update to bzip2-1.0.6: Fix for CVE-2010-0405

author: joerg <joerg> 2010-09-22 14:48:41 +0000
committer: joerg <joerg> 2010-09-22 14:48:41 +0000
commit: 2035a4ab085db669beb978666d710b4773c8ae34 (patch)
tree: 021a068240e3219348e361ca3aadf7db05b57e07 /archivers/bzip2
parent: 9ce156baba4a4aa19c619a60e3b4b07e6c3def88 (diff)
download: pkgsrc-2035a4ab085db669beb978666d710b4773c8ae34.tar.gz
3 files changed, 39 insertions, 6 deletions
diff --git a/archivers/bzip2/files/CHANGES b/archivers/bzip2/files/CHANGES
index 6e4f65e2e0a..81e97ca6fa2 100644
--- a/archivers/bzip2/files/CHANGES
+++ b/archivers/bzip2/files/CHANGES
@@ -2,8 +2,8 @@
  This file is part of bzip2/libbzip2, a program and library for
  lossless, block-sorting data compression.
 
- bzip2/libbzip2 version 1.0.5 of 10 December 2007
- Copyright (C) 1996-2007 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.6 of 6 September 2010
+ Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
 
  Please read the WARNING, DISCLAIMER and PATENTS sections in the 
  README file.
@@ -317,3 +317,11 @@ Fixes some minor bugs since the last version, 1.0.3.
 ~~~~~~~~~~~~~~~~~
 Security fix only.  Fixes CERT-FI 20469 as it applies to bzip2.
 
+
+1.0.6 (6 Sept 10)
+~~~~~~~~~~~~~~~~~
+
+* Security fix for CVE-2010-0405.  This was reported by Mikolaj
+  Izdebski.
+
+* Make the documentation build on Ubuntu 10.04
diff --git a/archivers/bzip2/files/README b/archivers/bzip2/files/README
index e17a84e049f..9fb0f636013 100644
--- a/archivers/bzip2/files/README
+++ b/archivers/bzip2/files/README
@@ -6,8 +6,8 @@ This version is fully compatible with the previous public releases.
 This file is part of bzip2/libbzip2, a program and library for
 lossless, block-sorting data compression.
 
-bzip2/libbzip2 version 1.0.5 of 10 December 2007
-Copyright (C) 1996-2007 Julian Seward <jseward@bzip.org>
+bzip2/libbzip2 version 1.0.6 of 6 September 2010
+Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
 
 Please read the WARNING, DISCLAIMER and PATENTS sections in this file.
 
@@ -181,6 +181,10 @@ WHAT'S NEW IN 1.0.5 ?
 
    See the CHANGES file.
 
+WHAT'S NEW IN 1.0.6 ?
+
+   See the CHANGES file.
+
 
 I hope you find bzip2 useful.  Feel free to contact me at
    jseward@bzip.org
@@ -208,3 +212,4 @@ Cambridge, UK.
 15 February 2005 (bzip2, version 1.0.3)
 20 December 2006 (bzip2, version 1.0.4)
 10 December 2007 (bzip2, version 1.0.5)
+ 6     Sept 2010 (bzip2, version 1.0.6)
diff --git a/archivers/bzip2/files/decompress.c b/archivers/bzip2/files/decompress.c
index bba5e0fa36d..311f5668f9a 100644
--- a/archivers/bzip2/files/decompress.c
+++ b/archivers/bzip2/files/decompress.c
@@ -8,8 +8,8 @@
    This file is part of bzip2/libbzip2, a program and library for
    lossless, block-sorting data compression.
 
-   bzip2/libbzip2 version 1.0.5 of 10 December 2007
-   Copyright (C) 1996-2007 Julian Seward <jseward@bzip.org>
+   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
 
    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
    README file.
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;
@@ -485,15 +492,28 @@ Int32 BZ2_decompress ( DState* s )
          RETURN(BZ_DATA_ERROR);
 
       /*-- Set up cftab to facilitate generation of T^(-1) --*/
+      /* Check: unzftab entries in range. */
+      for (i = 0; i <= 255; i++) {
+         if (s->unzftab[i] < 0 || s->unzftab[i] > nblock)
+            RETURN(BZ_DATA_ERROR);
+      }
+      /* Actually generate cftab. */
       s->cftab[0] = 0;
       for (i = 1; i <= 256; i++) s->cftab[i] = s->unzftab[i-1];
       for (i = 1; i <= 256; i++) s->cftab[i] += s->cftab[i-1];
+      /* Check: cftab entries in range. */
       for (i = 0; i <= 256; i++) {
          if (s->cftab[i] < 0 || s->cftab[i] > nblock) {
             /* s->cftab[i] can legitimately be == nblock */
             RETURN(BZ_DATA_ERROR);
          }
       }
+      /* Check: cftab entries non-descending. */
+      for (i = 1; i <= 256; i++) {
+         if (s->cftab[i-1] > s->cftab[i]) {
+            RETURN(BZ_DATA_ERROR);
+         }
+      }
 
       s->state_out_len = 0;
       s->state_out_ch  = 0;
author	joerg <joerg>	2010-09-22 14:48:41 +0000
committer	joerg <joerg>	2010-09-22 14:48:41 +0000
commit	2035a4ab085db669beb978666d710b4773c8ae34 (patch)
tree	021a068240e3219348e361ca3aadf7db05b57e07 /archivers/bzip2
parent	9ce156baba4a4aa19c619a60e3b4b07e6c3def88 (diff)
download	pkgsrc-2035a4ab085db669beb978666d710b4773c8ae34.tar.gz