Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi Stable release managers, The update for bzip2 which went into buster is affected by a regression, tracked as #931278, where some libzip2 compressed files (created by a "buggy" libzip2 version), could not be uncompressed anymore. The issue was fixed upstream, and I did cherry-pick the fix into unstable with the 1.0.6-9.2. As the fix difference between 1.0.6-9.1 and 1.0.6-9.2 is solely the fix, I opted to do a rebuild of the unstable version to upload for buster, that is 1.0.6-9.2~deb10u1. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
diff -Nru bzip2-1.0.6/debian/changelog bzip2-1.0.6/debian/changelog --- bzip2-1.0.6/debian/changelog 2019-06-24 22:15:37.000000000 +0200 +++ bzip2-1.0.6/debian/changelog 2019-07-10 21:17:52.000000000 +0200 @@ -1,3 +1,16 @@ +bzip2 (1.0.6-9.2~deb10u1) buster; urgency=medium + + * Rebuild for buster + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 10 Jul 2019 21:17:52 +0200 + +bzip2 (1.0.6-9.2) unstable; urgency=medium + + * Non-maintainer upload. + * Accept as many selectors as the file format allows (Closes: #931278) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 10 Jul 2019 06:25:07 +0200 + bzip2 (1.0.6-9.1) unstable; urgency=high * Non-maintainer upload. diff -Nru bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch --- bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch 1970-01-01 01:00:00.000000000 +0100 +++ bzip2-1.0.6/debian/patches/Accept-as-many-selectors-as-the-file-format-allows.patch 2019-07-10 06:23:58.000000000 +0200 @@ -0,0 +1,76 @@ +From: Mark Wielaard <m...@klomp.org> +Date: Wed, 3 Jul 2019 01:28:11 +0200 +Subject: Accept as many selectors as the file format allows. +Origin: https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13 +Bug-Debian: https://bugs.debian.org/931278 +Bug: https://gitlab.com/federicomenaquintero/bzip2/issues/24 + +But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS. + +The theoretical maximum number of selectors depends on the maximum +blocksize (900000 bytes) and the number of symbols (50) that can be +encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002. + +But the bzip2 file format allows the number of selectors to be encoded +with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in +14 bits). So the file format maximum is 32767 selectors. + +Some bzip2 encoders might actually have written out more selectors +than the theoretical maximum because they rounded up the number of +selectors to some convenient factor of 8. + +The extra 14766 selectors can never be validly used by the decompression +algorithm. So we can read them, but then discard them. + +This is effectively what was done (by accident) before we added a +check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate +CVE-2019-12900. + +The extra selectors were written out after the array inside the +EState struct. But the struct has extra space allocated after the +selector arrays of 18060 bytes (which is larger than 14766). +All of which will be initialized later (so the overwrite of that +space with extra selector values would have been harmless). +--- + compress.c | 2 +- + decompress.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/compress.c ++++ b/compress.c +@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s ) + + AssertH( nGroups < 8, 3002 ); + AssertH( nSelectors < 32768 && +- nSelectors <= (2 + (900000 / BZ_G_SIZE)), ++ nSelectors <= BZ_MAX_SELECTORS, + 3003 ); + + +--- a/decompress.c ++++ b/decompress.c +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) { +@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s ) + j++; + if (j >= nGroups) RETURN(BZ_DATA_ERROR); + } +- s->selectorMtf[i] = j; ++ /* Having more than BZ_MAX_SELECTORS doesn't make much sense ++ since they will never be used, but some implementations might ++ "round up" the number of selectors, so just ignore those. */ ++ if (i < BZ_MAX_SELECTORS) ++ s->selectorMtf[i] = j; + } ++ if (nSelectors > BZ_MAX_SELECTORS) ++ nSelectors = BZ_MAX_SELECTORS; + + /*--- Undo the MTF values for the selectors. ---*/ + { diff -Nru bzip2-1.0.6/debian/patches/series bzip2-1.0.6/debian/patches/series --- bzip2-1.0.6/debian/patches/series 2019-06-24 22:15:37.000000000 +0200 +++ bzip2-1.0.6/debian/patches/series 2019-07-10 06:23:28.000000000 +0200 @@ -8,3 +8,4 @@ bzdiff-tmpdir-spaces.diff 40-bzdiff-l.patch Make-sure-nSelectors-is-not-out-of-range.patch +Accept-as-many-selectors-as-the-file-format-allows.patch