Red Hat 9037 Published by

A bzip2 security update is available for Red Hat Enterprise Linux

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Low: bzip2 security update
Advisory ID: RHSA-2005:474-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-474.html
Issue date: 2005-06-16
Updated on: 2005-06-16
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0758 CAN-2005-0953 CAN-2005-1260
----------------------------------------------------------------------

1. Summary:

Updated bzip2 packages that fix multiple issues are now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64



3. Problem description:

Bzip2 is a data compressor.

A bug was found in the way bzgrep processes file names. If a user can be tricked into running bzgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running bzgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0758 to this issue.

A bug was found in the way bzip2 modifies file permissions during decompression. If an attacker has write access to the directory into which bzip2 is decompressing files, it is possible for them to modify permissions on files owned by the user running bzip2 (CAN-2005-0953).

A bug was found in the way bzip2 decompresses files. It is possible for an attacker to create a specially crafted bzip2 file which will cause bzip2 to cause a denial of service (by filling disk space) if decompressed by a victim (CAN-2005-1260).

Users of Bzip2 should upgrade to these updated packages, which contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

155742 - CAN-2005-0953 bzip2 race condition
157548 - CAN-2005-1260 bzip2 decompression bomb (DoS)
159816 - CAN-2005-0758 bzgrep has security issue in sed usage


6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

i386:
1c0626bc05764ace3f35b370c871f82a bzip2-1.0.1-4.EL2.1.i386.rpm
3becb343198896560698474b9ce06eed bzip2-devel-1.0.1-4.EL2.1.i386.rpm
793e7e2eafdf9290f869776e465f0922 bzip2-libs-1.0.1-4.EL2.1.i386.rpm

ia64:
9251923eb2a525c4edae8db9292d1865 bzip2-1.0.1-4.EL2.1.ia64.rpm
385e4b274f4eccec2dae40406f4411ed bzip2-devel-1.0.1-4.EL2.1.ia64.rpm
4feb401951ddc05a68c9de17671e2311 bzip2-libs-1.0.1-4.EL2.1.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

ia64:
9251923eb2a525c4edae8db9292d1865 bzip2-1.0.1-4.EL2.1.ia64.rpm
385e4b274f4eccec2dae40406f4411ed bzip2-devel-1.0.1-4.EL2.1.ia64.rpm
4feb401951ddc05a68c9de17671e2311 bzip2-libs-1.0.1-4.EL2.1.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

i386:
1c0626bc05764ace3f35b370c871f82a bzip2-1.0.1-4.EL2.1.i386.rpm
3becb343198896560698474b9ce06eed bzip2-devel-1.0.1-4.EL2.1.i386.rpm
793e7e2eafdf9290f869776e465f0922 bzip2-libs-1.0.1-4.EL2.1.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

i386:
1c0626bc05764ace3f35b370c871f82a bzip2-1.0.1-4.EL2.1.i386.rpm
3becb343198896560698474b9ce06eed bzip2-devel-1.0.1-4.EL2.1.i386.rpm
793e7e2eafdf9290f869776e465f0922 bzip2-libs-1.0.1-4.EL2.1.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

ia64:
090b5ed939e2f48c51915eb925f96272 bzip2-1.0.2-11.EL3.4.ia64.rpm
60ac531bf93510d4452676c7412f45b4 bzip2-devel-1.0.2-11.EL3.4.ia64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
2f0634a4f0c00b853d8ac423a4cc7421 bzip2-libs-1.0.2-11.EL3.4.ia64.rpm

ppc:
9f4561be52e588f06a8a38756b695fe7 bzip2-1.0.2-11.EL3.4.ppc.rpm
13fdc5b3f50f57afdc91548305df824a bzip2-devel-1.0.2-11.EL3.4.ppc.rpm
b8b31503dd33bb1b2b96c382fc86818b bzip2-libs-1.0.2-11.EL3.4.ppc.rpm
29ec39f91ae7fc800e9c1dee57e0ad96 bzip2-libs-1.0.2-11.EL3.4.ppc64.rpm

s390:
396f50fe9c7802b4699893b36463fc14 bzip2-1.0.2-11.EL3.4.s390.rpm
826a420199a7644ec1474170331d4160 bzip2-devel-1.0.2-11.EL3.4.s390.rpm
be3865bf78e76449b1fc091a72cf3e41 bzip2-libs-1.0.2-11.EL3.4.s390.rpm

s390x:
e58bda6c70b90b23384c0e46689237cd bzip2-1.0.2-11.EL3.4.s390x.rpm
658b7beaabcefd6598a8914308addcde bzip2-devel-1.0.2-11.EL3.4.s390x.rpm
be3865bf78e76449b1fc091a72cf3e41 bzip2-libs-1.0.2-11.EL3.4.s390.rpm
5f311e230c1934a8c84962fb6b64c9bf bzip2-libs-1.0.2-11.EL3.4.s390x.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

ia64:
090b5ed939e2f48c51915eb925f96272 bzip2-1.0.2-11.EL3.4.ia64.rpm
60ac531bf93510d4452676c7412f45b4 bzip2-devel-1.0.2-11.EL3.4.ia64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
2f0634a4f0c00b853d8ac423a4cc7421 bzip2-libs-1.0.2-11.EL3.4.ia64.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

ia64:
090b5ed939e2f48c51915eb925f96272 bzip2-1.0.2-11.EL3.4.ia64.rpm
60ac531bf93510d4452676c7412f45b4 bzip2-devel-1.0.2-11.EL3.4.ia64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
2f0634a4f0c00b853d8ac423a4cc7421 bzip2-libs-1.0.2-11.EL3.4.ia64.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

ia64:
fbb427d2a11e236e2d1c6d85f7ae2e9d bzip2-1.0.2-13.EL4.2.ia64.rpm
cf2525427b75389276eb11a107fd62e3 bzip2-devel-1.0.2-13.EL4.2.ia64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
aa2f13bce94b5bfc31c336f75d49fd25 bzip2-libs-1.0.2-13.EL4.2.ia64.rpm

ppc:
204622acd8c606580308a3b0dbf2c99a bzip2-1.0.2-13.EL4.2.ppc.rpm
3f05fc5d21cf9e3bc7070194082a6884 bzip2-devel-1.0.2-13.EL4.2.ppc.rpm
a72e7e67d811edfbd79f610404ff51e9 bzip2-libs-1.0.2-13.EL4.2.ppc.rpm
3dbe5c3142fd98934ac12cde21e5bc69 bzip2-libs-1.0.2-13.EL4.2.ppc64.rpm

s390:
afd31a247fa25233417704526866b5b3 bzip2-1.0.2-13.EL4.2.s390.rpm
c63fe9698ef0294ec080aeabf340af01 bzip2-devel-1.0.2-13.EL4.2.s390.rpm
aff40f1abf3058316207b1d516e3a2dd bzip2-libs-1.0.2-13.EL4.2.s390.rpm

s390x:
86937cfe7a1f9a8aa246e17f4630614d bzip2-1.0.2-13.EL4.2.s390x.rpm
f6fa8a9286574caf767121a31d9dfcb2 bzip2-devel-1.0.2-13.EL4.2.s390x.rpm
aff40f1abf3058316207b1d516e3a2dd bzip2-libs-1.0.2-13.EL4.2.s390.rpm
c88d05a31e1245b424a37fa041189b7a bzip2-libs-1.0.2-13.EL4.2.s390x.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

ia64:
fbb427d2a11e236e2d1c6d85f7ae2e9d bzip2-1.0.2-13.EL4.2.ia64.rpm
cf2525427b75389276eb11a107fd62e3 bzip2-devel-1.0.2-13.EL4.2.ia64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
aa2f13bce94b5bfc31c336f75d49fd25 bzip2-libs-1.0.2-13.EL4.2.ia64.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

ia64:
fbb427d2a11e236e2d1c6d85f7ae2e9d bzip2-1.0.2-13.EL4.2.ia64.rpm
cf2525427b75389276eb11a107fd62e3 bzip2-devel-1.0.2-13.EL4.2.ia64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
aa2f13bce94b5bfc31c336f75d49fd25 bzip2-libs-1.0.2-13.EL4.2.ia64.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://scary.beasts.org/security/CESA-2005-002.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.