CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Debian Bug report logs - #542777
CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Date: Fri, 21 Aug 2009 11:35:12 +0200

Package: libcompress-raw-bzip2-perl
Version: 2.020-1
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libcompress-raw-bzip2-perl.

CVE-2009-1884[0]:
| Off-by-one error in the bzinflate function in Bzip2.xs in the
| Compress-Raw-Bzip2 module before 2.018 for Perl allows
| context-dependent attackers to cause a denial of service (application
| hang or crash) via a crafted bzip2 compressed stream that triggers a
| buffer overflow, a related issue to CVE-2009-1391.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1884
    http://security-tracker.debian.net/tracker/CVE-2009-1884
    Patch: https://bugs.gentoo.org/attachment.cgi?id=201642

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqOak0ACgkQNxpp46476apmUQCgkPAlkkkAoX+FZFuDq2pL4AVT
ncUAnirOW0kG336Sp1LZ45VEX6N/z82Z
=uL1i
-----END PGP SIGNATURE-----

Message #18 received at 542777@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: 542777@bugs.debian.org

Subject: Re: Bug#542777: CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Date: Thu, 27 Aug 2009 21:35:58 +0300

On Fri, Aug 21, 2009 at 11:35:12AM +0200, Giuseppe Iuculano wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for libcompress-raw-bzip2-perl.
> 
> CVE-2009-1884[0]:
> | Off-by-one error in the bzinflate function in Bzip2.xs in the
> | Compress-Raw-Bzip2 module before 2.018 for Perl allows
> | context-dependent attackers to cause a denial of service (application
> | hang or crash) via a crafted bzip2 compressed stream that triggers a
> | buffer overflow, a related issue to CVE-2009-1391.

Hi Bas,

FYI I'm preparing stable updates of perl and libcompress-raw-zlib-perl
because of the identical issue in Compress-Raw-Zlib (CVE-2009-1391). The
security team recommended this because they are too busy to prepare DSAs
for such minor issues.

Please consider updating libcompress-raw-bzip2-perl too. The window for
the next stable update is closing this weekend.

Cheers,
-- 
Niko Tyni   ntyni@debian.org

Message #23 received at 542777@bugs.debian.org (full text, mbox, reply):

From: Bas Zoetekouw <bas@debian.org>

To: Niko Tyni <ntyni@debian.org>, 542777@bugs.debian.org

Cc: Gregor Herrmann <gregoa@debian.org>

Subject: Re: Bug#542777: CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Date: Thu, 27 Aug 2009 21:27:13 +0200

Hi Niko!

You wrote:

> FYI I'm preparing stable updates of perl and libcompress-raw-zlib-perl
> because of the identical issue in Compress-Raw-Zlib (CVE-2009-1391). The
> security team recommended this because they are too busy to prepare DSAs
> for such minor issues.
> 
> Please consider updating libcompress-raw-bzip2-perl too. The window for
> the next stable update is closing this weekend.

Unfortunately I don't have access to my Debian machines at the moment
(I'm in the middle of moving house).  Gregor volunteered to NMU the
package though.
Gregor, do you think you'll have time to NMU on such short notice?

Thanks,
Bas.

Message #28 received at 542777@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Bas Zoetekouw <bas@debian.org>

Cc: Niko Tyni <ntyni@debian.org>, 542777@bugs.debian.org

Subject: Re: Bug#542777: CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Date: Fri, 28 Aug 2009 00:22:06 +0200

[Message part 1 (text/plain, inline)]

On Thu, 27 Aug 2009 21:27:13 +0200, Bas Zoetekouw wrote:

> > FYI I'm preparing stable updates of perl and libcompress-raw-zlib-perl
> > because of the identical issue in Compress-Raw-Zlib (CVE-2009-1391). The
> > security team recommended this because they are too busy to prepare DSAs
> > for such minor issues.
> > 
> > Please consider updating libcompress-raw-bzip2-perl too. The window for
> > the next stable update is closing this weekend.
> 
> Unfortunately I don't have access to my Debian machines at the moment
> (I'm in the middle of moving house).  Gregor volunteered to NMU the
> package though.
> Gregor, do you think you'll have time to NMU on such short notice?

Oops, seems I should read all mails before preparing debdiffs after
reading the first one :)

Anyway, you've seen my tentative diff, and I also have time on Friday
and Sunday for any changes and uploads.

Cheers,
gregor, who is just a bit confused why libcompress-raw-zlib-perl goes
        to s-p-u and libcompress-raw-bzip2-perl maybe to
        stable-security
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
   `-    NP: The Chieftains

[signature.asc (application/pgp-signature, inline)]

Message #33 received at 542777@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: gregor herrmann <gregoa@debian.org>

Cc: 542777@bugs.debian.org

Subject: Re: Bug#542777: CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Date: Fri, 28 Aug 2009 09:06:40 +0300

[Message part 1 (text/plain, inline)]

On Fri, Aug 28, 2009 at 12:22:06AM +0200, gregor herrmann wrote:
> On Thu, 27 Aug 2009 21:27:13 +0200, Bas Zoetekouw wrote:
> 
> > > FYI I'm preparing stable updates of perl and libcompress-raw-zlib-perl
> > > because of the identical issue in Compress-Raw-Zlib (CVE-2009-1391). The
> > > security team recommended this because they are too busy to prepare DSAs
> > > for such minor issues.
> > > 
> > > Please consider updating libcompress-raw-bzip2-perl too. The window for
> > > the next stable update is closing this weekend.
> > 
> > Unfortunately I don't have access to my Debian machines at the moment
> > (I'm in the middle of moving house).  Gregor volunteered to NMU the
> > package though.
> > Gregor, do you think you'll have time to NMU on such short notice?
> 
> Oops, seems I should read all mails before preparing debdiffs after
> reading the first one :)
> 
> Anyway, you've seen my tentative diff, and I also have time on Friday
> and Sunday for any changes and uploads.

Thanks for picking this up Gregor. Not sure if a testcase can be found
through the CVE entries, so I'm attaching one for your convenience.

> Cheers,
> gregor, who is just a bit confused why libcompress-raw-zlib-perl goes
>         to s-p-u and libcompress-raw-bzip2-perl maybe to
>         stable-security

Has the security team acked a libcompress-raw-bzip2-perl upload?
I assumed this one would go through s-p-u too.
-- 
Niko Tyni   ntyni@debian.org

[bunzip2.pl (text/x-perl, attachment)]

Message #38 received at 542777@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Niko Tyni <ntyni@debian.org>, 542777@bugs.debian.org

Subject: Re: Bug#542777: CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2.xs

Date: Fri, 28 Aug 2009 14:50:58 +0200

[Message part 1 (text/plain, inline)]

On Fri, 28 Aug 2009 09:06:40 +0300, Niko Tyni wrote:

> > Anyway, you've seen my tentative diff, and I also have time on Friday
> > and Sunday for any changes and uploads.
> Thanks for picking this up Gregor. Not sure if a testcase can be found
> through the CVE entries, so I'm attaching one for your convenience.

Thanks a lot!

Here's the output of the package in stable:

gregor@tux:/tmp/bzip$ dd if=/dev/zero bs=16384 count=1 | bzip2 - | valgrind perl bunzip2.pl >/dev/null
1+0 records in
1+0 records out
16384 bytes (16 kB) copied, 3.4281e-05 s, 478 MB/s
==2620== Memcheck, a memory error detector.
==2620== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==2620== Using LibVEX rev 1854, a library for dynamic binary translation.
==2620== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==2620== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework.
==2620== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==2620== For more details, rerun with: -v
==2620== 
==2620== Invalid write of size 1
==2620==    at 0x64245AC: XS_Compress__Raw__Bunzip2_bzinflate (in /usr/lib/perl5/auto/Compress/Raw/Bzip2/Bzip2.so)
==2620==    by 0x4ED2EBF: Perl_pp_entersub (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x4ED13A1: Perl_runops_standard (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x4ECC5EE: perl_run (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x400D0B: main (in /usr/bin/perl)
==2620==  Address 0x5f759b0 is 0 bytes after a block of size 16,384 alloc'd
==2620==    at 0x4C2260E: malloc (vg_replace_malloc.c:207)
==2620==    by 0x4EB2545: Perl_safesysmalloc (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x4EE8A97: Perl_sv_grow (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x64242AD: XS_Compress__Raw__Bunzip2_bzinflate (in /usr/lib/perl5/auto/Compress/Raw/Bzip2/Bzip2.so)
==2620==    by 0x4ED2EBF: Perl_pp_entersub (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x4ED13A1: Perl_runops_standard (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x4ECC5EE: perl_run (in /usr/lib/libperl.so.5.10.0)
==2620==    by 0x400D0B: main (in /usr/bin/perl)
==2620== 
==2620== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 9 from 2)
==2620== malloc/free: in use at exit: 631,829 bytes in 7,105 blocks.
==2620== malloc/free: 13,617 allocs, 6,512 frees, 4,771,390 bytes allocated.
==2620== For counts of detected errors, rerun with: -v
==2620== searching for pointers to 7,105 not-freed blocks.
==2620== checked 371,088 bytes.
==2620== 
==2620== LEAK SUMMARY:
==2620==    definitely lost: 629,033 bytes in 7,094 blocks.
==2620==      possibly lost: 0 bytes in 0 blocks.
==2620==    still reachable: 2,796 bytes in 11 blocks.
==2620==         suppressed: 0 bytes in 0 blocks.
==2620== Rerun with --leak-check=full to see details of leaked memory.

And here with the patch:

gregor@tux:/tmp/bzip$ dd if=/dev/zero bs=16384 count=1 | bzip2 - | valgrind perl bunzip2.pl >/dev/null
1+0 records in
1+0 records out
16384 bytes (16 kB) copied, 3.3554e-05 s, 488 MB/s
==2556== Memcheck, a memory error detector.
==2556== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==2556== Using LibVEX rev 1854, a library for dynamic binary translation.
==2556== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==2556== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework.
==2556== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==2556== For more details, rerun with: -v
==2556==
==2556==
==2556== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 9 from 2)
==2556== malloc/free: in use at exit: 631,837 bytes in 7,105 blocks.
==2556== malloc/free: 13,617 allocs, 6,512 frees, 4,771,398 bytes allocated.
==2556== For counts of detected errors, rerun with: -v
==2556== searching for pointers to 7,105 not-freed blocks.
==2556== checked 371,088 bytes.
==2556==
==2556== LEAK SUMMARY:
==2556==    definitely lost: 629,041 bytes in 7,094 blocks.
==2556==      possibly lost: 0 bytes in 0 blocks.
==2556==    still reachable: 2,796 bytes in 11 blocks.
==2556==         suppressed: 0 bytes in 0 blocks.
==2556== Rerun with --leak-check=full to see details of leaked memory.

 
> > gregor, who is just a bit confused why libcompress-raw-zlib-perl goes
> >         to s-p-u and libcompress-raw-bzip2-perl maybe to
> >         stable-security
> Has the security team acked a libcompress-raw-bzip2-perl upload?
> I assumed this one would go through s-p-u too.

JFTR (you know it already from a CC): the security team now proposes
to run libcompress-raw-bzip2-perl thrugh s-p-u, too.

Cheers,
gregor 
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
   `-    NP: Nguyên Lê: Lacrima Christi

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 542777-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 542777-close@bugs.debian.org

Subject: Bug#542777: fixed in libcompress-raw-bzip2-perl 2.011-2lenny1

Date: Fri, 28 Aug 2009 19:59:32 +0000

Source: libcompress-raw-bzip2-perl
Source-Version: 2.011-2lenny1

We believe that the bug you reported is fixed in the latest version of
libcompress-raw-bzip2-perl, which is due to be installed in the Debian FTP archive:

libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
  to pool/main/libc/libcompress-raw-bzip2-perl/libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
  to pool/main/libc/libcompress-raw-bzip2-perl/libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb
  to pool/main/libc/libcompress-raw-bzip2-perl/libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 542777@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcompress-raw-bzip2-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Aug 2009 23:54:27 +0200
Source: libcompress-raw-bzip2-perl
Binary: libcompress-raw-bzip2-perl
Architecture: source i386
Version: 2.011-2lenny1
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Bas Zoetekouw <bas@debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libcompress-raw-bzip2-perl - Low-Level Interface to bzip2 compression library
Closes: 542777
Changes: 
 libcompress-raw-bzip2-perl (2.011-2lenny1) stable-proposed-updates; urgency=high
 .
   * Non-maintainer upload on maintainer's request.
   * [SECURITY] CVE-2009-1884: fix off-by-one error in the bzinflate function
     in Bzip2.xs. Closes: #542777
Checksums-Sha1: 
 b7fedb0a61d6c20ce3bc52032e389470583b6016 1223 libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
 4f788a9f3a2ce0e15551c3d9ebc5ec43559c1d21 3023 libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
 979b98d20f5a17eab38afa5ce4b59007cfcbde28 30372 libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb
Checksums-Sha256: 
 e5d5818c36560e463890589cd18bb43cc0af3b9714c6c109f60dd23a7bc5193c 1223 libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
 b74a9654b99d7ea41be3b0b1c143b8dca199532dc3ab3860fb81c2e7212f7507 3023 libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
 cd1f068ccb02e79ee4646162aa4ef653de7e805ae5741040da8212f72b8f7471 30372 libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb
Files: 
 42212296d50d013c2825f5488ac7a305 1223 perl optional libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
 de89fc3b1445457f192edf47b7cbbd1d 3023 perl optional libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
 f421bd785eab2d71a81a2b00d027ccbb 30372 perl optional libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqXyrUACgkQOzKYnQDzz+QryACg4YMIHw6gxNYtXpKDr3XCUgIU
MakAnj7JOgjZvVVstBVbQhp2T7YWROFa
=3b49
-----END PGP SIGNATURE-----

Message #50 received at 542777-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 542777-close@bugs.debian.org

Subject: Bug#542777: fixed in libcompress-raw-bzip2-perl 2.011-2lenny1

Date: Fri, 04 Sep 2009 18:32:11 +0000

Source: libcompress-raw-bzip2-perl
Source-Version: 2.011-2lenny1

We believe that the bug you reported is fixed in the latest version of
libcompress-raw-bzip2-perl, which is due to be installed in the Debian FTP archive:

libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
  to pool/main/libc/libcompress-raw-bzip2-perl/libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
  to pool/main/libc/libcompress-raw-bzip2-perl/libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb
  to pool/main/libc/libcompress-raw-bzip2-perl/libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 542777@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcompress-raw-bzip2-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Aug 2009 23:54:27 +0200
Source: libcompress-raw-bzip2-perl
Binary: libcompress-raw-bzip2-perl
Architecture: source i386
Version: 2.011-2lenny1
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Bas Zoetekouw <bas@debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libcompress-raw-bzip2-perl - Low-Level Interface to bzip2 compression library
Closes: 542777
Changes: 
 libcompress-raw-bzip2-perl (2.011-2lenny1) stable-proposed-updates; urgency=high
 .
   * Non-maintainer upload on maintainer's request.
   * [SECURITY] CVE-2009-1884: fix off-by-one error in the bzinflate function
     in Bzip2.xs. Closes: #542777
Checksums-Sha1: 
 b7fedb0a61d6c20ce3bc52032e389470583b6016 1223 libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
 4f788a9f3a2ce0e15551c3d9ebc5ec43559c1d21 3023 libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
 979b98d20f5a17eab38afa5ce4b59007cfcbde28 30372 libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb
Checksums-Sha256: 
 e5d5818c36560e463890589cd18bb43cc0af3b9714c6c109f60dd23a7bc5193c 1223 libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
 b74a9654b99d7ea41be3b0b1c143b8dca199532dc3ab3860fb81c2e7212f7507 3023 libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
 cd1f068ccb02e79ee4646162aa4ef653de7e805ae5741040da8212f72b8f7471 30372 libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb
Files: 
 42212296d50d013c2825f5488ac7a305 1223 perl optional libcompress-raw-bzip2-perl_2.011-2lenny1.dsc
 de89fc3b1445457f192edf47b7cbbd1d 3023 perl optional libcompress-raw-bzip2-perl_2.011-2lenny1.diff.gz
 f421bd785eab2d71a81a2b00d027ccbb 30372 perl optional libcompress-raw-bzip2-perl_2.011-2lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqXyrUACgkQOzKYnQDzz+QryACg4YMIHw6gxNYtXpKDr3XCUgIU
MakAnj7JOgjZvVVstBVbQhp2T7YWROFa
=3b49
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.