1.0.8 release (Was: [PATCH] Replace project contact email with bzip2-devel@sourceware.org)

Mark Wielaard mark@klomp.org
Tue Jan 1 00:00:00 GMT 2019 

Hi,

On Fri, 2019-07-12 at 09:50 +0200, Julian Seward wrote:
> That's all absolutely fine.  Please do update as per your patch.

Thanks. I also applied the last three distro patches for the bzgrep and
bzdiff script cleanups. There are not many updates since 1.0.7, but
that seems good if we just intend this to be a fixup release to. The
nSelectors relaxation is probably something we want to get out asap, so
people can unbzip2 all files again they could before (even if they were
technically "broken").

Unless someone objects I would like to do a 1.0.8 release this weekend.
With the updates this should all be automated now by running and
following the instructions with the ./prepare-release.sh 1.0.8 and
./release-update.sh 1.0.8 scripts.

I feel we did lots of testing now and the integration of the bzip2-
tests in the buildbot really helps. I have been using a fuzzer (afl)
for a week on various configurations, but did not find any issues. I am
working on better fuzzer targets for better coverage, but that can wait
till after the release (it is also a bit invasive since it requires new
build targets).

The one thing that might have been nice to integrate is the O_CLOEXEC
fix, especially for multi-threaded programs that use libbzip2 and might
fork/exec. But while O_CLOEXEC is now in POSIX, the fopen "e" mode as
used in the proposed patches is GNU/Linux specific. I don't believe the
guards proposed (just define BZ_UNIX to 1 and hope for the best) is the
most conservative option possible.

In summary the (important) fixes for 1.0.8 are:

* Accept as many selectors as the file format allows.
  This relaxes the fix for CVE-2019-12900 from 1.0.7
  so that bzip2 allows decompression of bz2 that use
  (too) many selectors again.

* Fix handling of large (> 4GB) files on Windows.

* Cleanup of bzdiff and bzgrep scripts so they don't use
  any bash extensions and handle multiple archives correctly.

* There is now a bz2-files testsuite at
  https://sourceware.org/git/bzip2-tests.git

Cheers,

Mark

More information about the Bzip2-devel mailing list