[Bug 1140733] New: lbzip2 - don't exceed 18002 selectors
http://bugzilla.suse.com/show_bug.cgi?id=1140733 Bug ID: 1140733 Summary: lbzip2 - don't exceed 18002 selectors Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Factory Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: kstreitova@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Bzip2 recently got a fix [1] (CVE-2019-12900) that causes that files compressed by lbzip2 before this commit [2] fail to uncompress. Before that lbzip2 b6dc48 commit, lbzip2 abused bzip2 bug that allowed to accept more than 18002 selectors. As this bzip2 bug is now fixed, it's needed to adjust lbzip2 in the same manner. [1] https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824d... [2] https://github.com/kjn/lbzip2/commit/b6dc48a7b9bfe6b340ed1f6d72133608ad57144... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140733
http://bugzilla.suse.com/show_bug.cgi?id=1140733#c1
Kristyna Streitova
http://bugzilla.suse.com/show_bug.cgi?id=1140733
http://bugzilla.suse.com/show_bug.cgi?id=1140733#c2
--- Comment #2 from Tristan Miller
http://bugzilla.suse.com/show_bug.cgi?id=1140733
http://bugzilla.suse.com/show_bug.cgi?id=1140733#c3
--- Comment #3 from Kristyna Streitova
Not sure why this issue has been assigned to me -- I had agreed to maintain the package only as a "last resort" in the event that the existing maintainers had gone AWOL, which does not seem to be the case.
Hello Tristan, I've assigned this bug to you, because you are listed as a maintainer of lbzip2: # osc maintainer -e lbzip2 Defined in package: Archiving/lbzip2 bugowner of lbzip2 : - maintainer of lbzip2 : psychonaut@nothingisreal.com If this is not true, then feel free to reassign it to the responsible person and reset your maintainership. Thanks!
Nonetheless, I took a look at the lbzip2 commit in question, which is from October 2017. It doesn't look trivial to apply this to the stable version 2.25, which was released in March 2014
This is probably a typo here. The current version we have both in Leap and Tumbleweed is 2.5, not 2.25. However, it really seems that the patch can't be applied as is and it needs some adjustments anyway. I would let it up to maintainers if they want to wait for the new version 2.6 or if they decide to backport this patch. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140733
http://bugzilla.suse.com/show_bug.cgi?id=1140733#c4
Kristyna Streitova
participants (1)
-
bugzilla_noreply@novell.com