rpms/bzip2/F-7 bzip2-1.0.5.patch,NONE,1.1 bzip2.spec,1.31,1.32

Tue Apr 1 08:53:58 UTC 2008

Author: varekova

Update of /cvs/pkgs/rpms/bzip2/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28804

Modified Files:
	bzip2.spec 
Added Files:
	bzip2-1.0.5.patch 
Log Message:
- fix cash on malformed archive file - CVE-2008-1372 (#438118)
  (apply upstream patch)


bzip2-1.0.5.patch:

--- NEW FILE bzip2-1.0.5.patch ---
diff -urN bzip2-1.0.4/bzlib.c bzip2-1.0.5/bzlib.c
--- bzip2-1.0.4/bzlib.c	2007-01-02 21:00:55.000000000 -0500
+++ bzip2-1.0.5/bzlib.c	2007-12-09 08:57:21.000000000 -0500
@@ -598,6 +598,7 @@
       UInt32        c_tPos               = s->tPos;
       char*         cs_next_out          = s->strm->next_out;
       unsigned int  cs_avail_out         = s->strm->avail_out;
+      Int32         ro_blockSize100k     = s->blockSize100k;
       /* end restore */
 
       UInt32       avail_out_INIT = cs_avail_out;
diff -urN bzip2-1.0.4/bzlib_private.h bzip2-1.0.5/bzlib_private.h
--- bzip2-1.0.4/bzlib_private.h	2007-01-02 21:00:55.000000000 -0500
+++ bzip2-1.0.5/bzlib_private.h	2007-12-09 09:00:46.000000000 -0500
@@ -442,11 +442,15 @@
 /*-- Macros for decompression. --*/
 
 #define BZ_GET_FAST(cccc)                     \
+    /* c_tPos is unsigned, hence test < 0 is pointless. */ \
+    if (s->tPos >= (UInt32)100000 * (UInt32)s->blockSize100k) return True; \
     s->tPos = s->tt[s->tPos];                 \
     cccc = (UChar)(s->tPos & 0xff);           \
     s->tPos >>= 8;
 
 #define BZ_GET_FAST_C(cccc)                   \
+    /* c_tPos is unsigned, hence test < 0 is pointless. */ \
+    if (c_tPos >= (UInt32)100000 * (UInt32)ro_blockSize100k) return True; \
     c_tPos = c_tt[c_tPos];                    \
     cccc = (UChar)(c_tPos & 0xff);            \
     c_tPos >>= 8;
@@ -469,8 +473,10 @@
    (((UInt32)s->ll16[i]) | (GET_LL4(i) << 16))
 
 #define BZ_GET_SMALL(cccc)                            \
-      cccc = BZ2_indexIntoF ( s->tPos, s->cftab );    \
-      s->tPos = GET_LL(s->tPos);
+    /* c_tPos is unsigned, hence test < 0 is pointless. */ \
+    if (s->tPos >= (UInt32)100000 * (UInt32)s->blockSize100k) return True; \
+    cccc = BZ2_indexIntoF ( s->tPos, s->cftab );    \
+    s->tPos = GET_LL(s->tPos);
 
 
 /*-- externs for decompression. --*/


Index: bzip2.spec
===================================================================
RCS file: /cvs/pkgs/rpms/bzip2/F-7/bzip2.spec,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- bzip2.spec	4 Apr 2007 13:55:03 -0000	1.31
+++ bzip2.spec	1 Apr 2008 08:53:22 -0000	1.32
@@ -1,7 +1,7 @@
 Summary: A file compression utility
 Name: bzip2
 Version: 1.0.4
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: BSD
 Group: Applications/File
 URL: http://www.bzip.org/
@@ -9,6 +9,7 @@
 Patch0: bzip2-1.0.4-saneso.patch
 Patch5: bzip2-1.0.4-cflags.patch
 Patch6: bzip2-1.0.4-bzip2recover.patch
+Patch7: bzip2-1.0.5.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
@@ -45,6 +46,7 @@
 %patch0 -p1 -b .saneso
 %patch5 -p1 -b .cflags
 %patch6 -p1 -b .bz2recover
+%patch7 -p1 -b .1.0.5
 
 %build
 
@@ -108,6 +110,10 @@
 %{_libdir}/*.a
 
 %changelog
+* Tue Apr  1 2008 Ivana Varekova <varekova at redhat.com> 1.0.4-11
+- fix cash on malformed archive file - CVE-2008-1372 (#438118)
+  (apply upstream patch)
+  
 * Wed Apr  4 2007 Ivana Varekova <varekova at redhat.com> 1.0.4-10
 - change libz.a permissions
 


