Bzip2 download and CVE-2019-12900 fix?

Jeffrey Walton noloader@gmail.com
Tue Jan 1 00:00:00 GMT 2019


On Wed, Jun 26, 2019 at 10:21 AM Mark Wielaard <mark@klomp.org> wrote:
>
> On Wed, 2019-06-26 at 10:10 -0400, Jeffrey Walton wrote:
> > Bzip2 downloads are available at ftp://sourceware.org/pub/bzip2/ .
> > The
> > download is 1.0.6 and dated March 2019.
> >
> > My question is, does the latest download include the fixes for CVE-
> > 2019-12900?
>
> No, not yet in 1.0.6. But everything is in git:
> https://sourceware.org/git/?p=bzip2.git;a=summary
> Including the CVE-2019-12900 fix:
>
> https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184
>
> > If not, when can we expect a patch or new download?
>
> Hopefully today.
> The release script is ready:
> https://sourceware.org/ml/bzip2-devel/2019-q2/msg00009.html
>
> But there is some discussion on whether to synchronize with an
> alternative setup with newer build systems and other changes:
> https://sourceware.org/ml/bzip2-devel/2019-q2/msg00014.html

Thanks Mark.

There's a lot to the msg00014.html list message. I run with a patched
version of Bzip2. Makefile and Makefile-libbz2_so need some polishing
to get them to respect CFLAGS and LDFLAGS. Otherwise they ignore our
flags.

Also, the recipe for libbz2.so.1.0.6 breaks on non-Linux systems
because -Wl,-soname is a GNU ld thing.

You can get an idea of the Makefile changes by comparing with
https://github.com/noloader/bzip2-noloader. Also see
https://www.gnu.org/prep/standards/html_node/Command-Variables.html .

Jeff



More information about the Bzip2-devel mailing list