diff --git a/advisories/hackage/bz2/HSEC-2024-0002.md b/advisories/hackage/bz2/HSEC-2024-0002.md new file mode 120000 index 00000000..cb2989c5 --- /dev/null +++ b/advisories/hackage/bz2/HSEC-2024-0002.md @@ -0,0 +1 @@ +../bzlib/HSEC-2024-0002.md \ No newline at end of file diff --git a/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md new file mode 120000 index 00000000..cb2989c5 --- /dev/null +++ b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md @@ -0,0 +1 @@ +../bzlib/HSEC-2024-0002.md \ No newline at end of file diff --git a/advisories/hackage/bzlib/HSEC-2024-0002.md b/advisories/hackage/bzlib/HSEC-2024-0002.md new file mode 100644 index 00000000..d9e49d1f --- /dev/null +++ b/advisories/hackage/bzlib/HSEC-2024-0002.md @@ -0,0 +1,61 @@ +```toml +[advisory] +id = "HSEC-2024-0002" +cwe = [787] +keywords = ["corruption", "vendored-code", "language-c"] +aliases = ["CVE-2019-12900"] + +[[references]] +type = "DISCUSSION" +url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/" + +[[references]] +type = "DISCUSSION" +url = "http://scary.beasts.org/security/CESA-2008-005.html" + +[[references]] +type = "ADVISORY" +url = "https://access.redhat.com/security/cve/cve-2019-12900" + +[[references]] +type = "FIX" +url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184" + +[[affected]] +package = "bzlib" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.4" +fixed = "0.5.2.0" + +[[affected]] +package = "bz2" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "1.0.1.1" + +[[affected]] +package = "bzlib-conduit" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "0.3.0.3" +``` + +# out-of-bounds write when there are many bzip2 selectors + +A malicious bzip2 payload may produce a memory corruption +resulting in a denial of service and/or remote code execution. +Network services or command line utilities decompressing +untrusted bzip2 payloads are affected. + +Note that the exploitation of this bug relies on an undefined +behavior that appears to be handled safely by current compilers. + +The Haskell libraires are vulnerable when they are built using +the bundled C library source code, which is the default +in most cases.