[opensuse-security] bzip2 vulnerability CVE-2010-0405
Hi, I'm just trying to compile the latest version of ClamAV (0.96.3) and the configure script checks for the presence of a vulnerability (CVE-2010-0405) in the bzip2 library. The check they use seems to indicate that my SLES 10 SP3 mail servers are in some way vulnerable because it ends up in an infinite loop consuming 100% CPU. The configure script works fine on my machines that run debian lenny, where the bzip2 packages received a recent security update to fix this problem. More info here: Debian security update: http://security-tracker.debian.org/tracker/CVE-2010-0405 Discussion of the vulnerability: http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/ Does anybody know if Novell consider this a vulnerability and are they planning on releasing an update to bzip2 to fix it? I'd rather stick with the official published RPM versions of the bzip2 libraries and not have to replace them manually. Thanks, Andy Spiers -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sat, Sep 25, 2010 at 11:53:46AM +0100, Andy Spiers wrote:
Hi,
I'm just trying to compile the latest version of ClamAV (0.96.3) and the configure script checks for the presence of a vulnerability (CVE-2010-0405) in the bzip2 library.
The check they use seems to indicate that my SLES 10 SP3 mail servers are in some way vulnerable because it ends up in an infinite loop consuming 100% CPU. The configure script works fine on my machines that run debian lenny, where the bzip2 packages received a recent security update to fix this problem.
More info here:
Debian security update: http://security-tracker.debian.org/tracker/CVE-2010-0405
Discussion of the vulnerability: http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/
Does anybody know if Novell consider this a vulnerability and are they planning on releasing an update to bzip2 to fix it? I'd rather stick with the official published RPM versions of the bzip2 libraries and not have to replace them manually.
We are considering this a security vulnerability and will publish updates. This will likely happen begin of next week. (It is just that we had some more critical issues this week.) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner wrote:
Does anybody know if Novell consider this a vulnerability and are they planning on releasing an update to bzip2 to fix it? I'd rather stick with the official published RPM versions of the bzip2 libraries and not have to replace them manually.
We are considering this a security vulnerability and will publish updates. This will likely happen begin of next week.
(It is just that we had some more critical issues this week.)
Great. Thanks for the very quick update Marcus. I'll leave the ClamAV update on the SLES mail servers until the official bzip2 patch is published then. Cheers, Andy -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Andy Spiers -
Marcus Meissner