Follow up. Some Mac users will recall that several months back we discussed the bzip2 bug and I filed a bug report with Apple when it wasn't included in their previous updates back in November. They acknowledged they were working on it and promised it would be out shortly. Last Monday they posted updates to both Mac OS X 10.5.8 and 10.6.6 which purports to fix the bug (forwarded below).
After installing the update, I noticed that it was still bzip2 v1.0.5, so I wrote back to Apple, ask what was going on and received the following response: > We fixed it by patching the specific issue, not by updating to the latest > version. > > Best regards, > > Cedric > Apple Product Security team So I ran a quick configure and make check of the clamav 0.97.0 tarball and received no bzip2 related warnings or errors. So Mac users should be good to go on this one. For those of you who chose to update to a third party bzip2 1.0.6 in the interim...I don't know what to tell you. -Al- -- Al Varnell Mountain View, CA ------ Forwarded Message From: Apple Product Security <product-security-nore...@lists.apple.com> Date: Mon, 21 Mar 2011 13:30:57 -0700 To: <security-annou...@lists.apple.com> Subject: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001 Mac OS X v10.6.7 and Security Update 2011-001 are now available and address the following: bzip2 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6 Impact: Using the command line bzip2 or bunzip2 tool to decompress a bzip2 file may result in an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in bzip2's handling of bzip2 compressed files. Using the command line bzip2 or bunzip2 tool to decompress a bzip2 file may result in an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-0405 ... This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJNh67eAAoJEGnF2JsdZQeee6gH/3zZ0+W4RlmeuC6m6/7BJGAQ KDyG4V7KJKsGNliYaX/gAb8Bh6ST3M7Aw+j4Cw4oLIO49qRvR907SHnrAF214VpI fPB3hKy8NGwU1iBhWjSqRtJIxZfc8FRfxy0/ulkbQm80m70pCHX7xgPB6s7WkVH+ d3eEGBZNzHSk+ET+iyXamWKmkSYAVBv3V+nqVKAfB0J61r85UhW1NGjMQKl4CbD/ tM5LZc1gT/ZPXyNGoBfrzExHIVoHV4NJO8m9mj1A90WX7MxxEo1uEMoMQ9yxJalj pP6fx9uMzmmK8mBAqnHYf3vK4R1cw/mBYds+k3dOghSBoK0usyfjyKsS6OnYC3M= =GkWL -----END PGP SIGNATURE----- ------ End of Forwarded Message _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml