Updated: mingw-bzip2-1.0.3-1, mingw-libbz2_1-1.0.3-1

Charles Wilson cygwin@cwilson.fastmail.fm
Sat Jul 9 05:32:00 GMT 2005

The mingw-bzip2 package has been updated to version 1.0.3-1. 
mingw-bzip2 provides the static library, DLL import library, and header 
files for building non-cygwin applications (like setup.exe) which need 
access to bzip2 compression algorithms.  mingw-libbz2_1 provides the 
corresponding DLL.

These libraries are built using the standard windows runtime library and 
NOT cygwin; it is used by setup.exe among other tools.  No executables 
(like bzip2.exe) are provided by these packages.  Use the cygwin 
versions instead, or go to the bzip2 homepage at http://www.bzip2.org/ 
for native windows executables.


Routine update to upstream version 1.0.3

Addresses security issue CAN-2005-1260 "bzip2 allows remote attackers to 
cause a denial of service (hard drive consumption) via a crafted bzip2 
file that causes an infinite loop (a.k.a "decompression bomb")."

Addresses security issue CAN-2005-0953 "Race condition in bzip2 1.0.2 
and earlier allows local users to modify permissions of arbitrary files 
via a hard link attack on a file while it is being decompressed, whose 
permissions are changed by bzip2 after the decompression is complete."


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:


If you need more information on unsubscribing, start reading here:


Please read *all* of the information on unsubscribing that is available
starting at the above URL.

More information about the Cygwin-announce mailing list