From d99e6b02cb5294333848578d630b97f8d9775e49 Mon Sep 17 00:00:00 2001
From: Tristan Cacqueray <tdecacqu@redhat.com>
Date: Fri, 8 Mar 2024 09:18:56 -0500
Subject: [PATCH] Add HSEC-2024-0002

---
 advisories/hackage/bz2/HSEC-2024-0002.md      |  1 +
 .../hackage/bzlib-conduit/HSEC-2024-0002.md   |  1 +
 advisories/hackage/bzlib/HSEC-2024-0002.md    | 61 +++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 120000 advisories/hackage/bz2/HSEC-2024-0002.md
 create mode 120000 advisories/hackage/bzlib-conduit/HSEC-2024-0002.md
 create mode 100644 advisories/hackage/bzlib/HSEC-2024-0002.md

diff --git a/advisories/hackage/bz2/HSEC-2024-0002.md b/advisories/hackage/bz2/HSEC-2024-0002.md
new file mode 120000
index 00000000..cb2989c5
--- /dev/null
+++ b/advisories/hackage/bz2/HSEC-2024-0002.md
@@ -0,0 +1 @@
+../bzlib/HSEC-2024-0002.md
\ No newline at end of file
diff --git a/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md
new file mode 120000
index 00000000..cb2989c5
--- /dev/null
+++ b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md
@@ -0,0 +1 @@
+../bzlib/HSEC-2024-0002.md
\ No newline at end of file
diff --git a/advisories/hackage/bzlib/HSEC-2024-0002.md b/advisories/hackage/bzlib/HSEC-2024-0002.md
new file mode 100644
index 00000000..d9e49d1f
--- /dev/null
+++ b/advisories/hackage/bzlib/HSEC-2024-0002.md
@@ -0,0 +1,61 @@
+```toml
+[advisory]
+id = "HSEC-2024-0002"
+cwe = [787]
+keywords = ["corruption", "vendored-code", "language-c"]
+aliases = ["CVE-2019-12900"]
+
+[[references]]
+type = "DISCUSSION"
+url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/"
+
+[[references]]
+type = "DISCUSSION"
+url = "http://scary.beasts.org/security/CESA-2008-005.html"
+
+[[references]]
+type = "ADVISORY"
+url = "https://access.redhat.com/security/cve/cve-2019-12900"
+
+[[references]]
+type = "FIX"
+url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184"
+
+[[affected]]
+package = "bzlib"
+cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+
+[[affected.versions]]
+introduced = "0.4"
+fixed = "0.5.2.0"
+
+[[affected]]
+package = "bz2"
+cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+
+[[affected.versions]]
+introduced = "0.1.0.0"
+fixed = "1.0.1.1"
+
+[[affected]]
+package = "bzlib-conduit"
+cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+
+[[affected.versions]]
+introduced = "0.1.0.0"
+fixed = "0.3.0.3"
+```
+
+# out-of-bounds write when there are many bzip2 selectors
+
+A malicious bzip2 payload may produce a memory corruption
+resulting in a denial of service and/or remote code execution.
+Network services or command line utilities decompressing
+untrusted bzip2 payloads are affected.
+
+Note that the exploitation of this bug relies on an undefined
+behavior that appears to be handled safely by current compilers.
+
+The Haskell libraires are vulnerable when they are built using
+the bundled C library source code, which is the default
+in most cases.