Hello community,

here is the log from the commit of package bzip2 for openSUSE:Factory checked 
in at 2019-04-26 22:41:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bzip2 (Old)
 and      /work/SRC/openSUSE:Factory/.bzip2.new.5536 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "bzip2"

Fri Apr 26 22:41:11 2019 rev:63 rq:696999 version:1.0.6

Changes:
--------
--- /work/SRC/openSUSE:Factory/bzip2/bzip2.changes      2018-09-04 
22:58:01.833381904 +0200
+++ /work/SRC/openSUSE:Factory/.bzip2.new.5536/bzip2.changes    2019-04-26 
22:41:17.513740283 +0200
@@ -1,0 +2,7 @@
+Thu Apr 18 10:28:36 UTC 2019 - Kristýna Streitová <kstreit...@suse.com>
+
+- add bzip2-1.0.6-CVE-2016-3189.patch to fix a heap use after
+  free vulnerability that was reported in bzip2recover [bsc#985657]
+  [CVE-2016-3189]
+
+-------------------------------------------------------------------

New:
----
  bzip2-1.0.6-CVE-2016-3189.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ bzip2.spec ++++++
--- /var/tmp/diff_new_pack.JUh2S5/_old  2019-04-26 22:41:19.589739223 +0200
+++ /var/tmp/diff_new_pack.JUh2S5/_new  2019-04-26 22:41:19.617739209 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package bzip2
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,6 +37,7 @@
 Patch4:         bzip2-ocloexec.patch
 # PATCH-FIX-UPSTREAM bnc#970260 kstreit...@suse.com -- fix a wrong exit code 
when grepping multiple archives
 Patch5:         bzip2-1.0.6-bzgrep_return_value.patch
+Patch6:         bzip2-1.0.6-CVE-2016-3189.patch
 BuildRequires:  autoconf >= 2.57
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -80,6 +81,7 @@
 %patch3 -p1
 %patch4
 %patch5 -p1
+%patch6 -p1
 
 %build
 autoreconf -fiv

++++++ bzip2-1.0.6-CVE-2016-3189.patch ++++++
Author: Jakub Martisko <jamar...@redhat.com>
Date: Wed, 30 Mar 2016 10:22:27 +0200
Description: bzip2recover: Fix potential use-after-free
Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit

--- a/bzip2recover.c
+++ b/bzip2recover.c
@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
             bsPutUInt32 ( bsWr, blockCRC );
             bsClose ( bsWr );
+            outFile = NULL;
          }
          if (wrBlock >= rbCtr) break;
          wrBlock++;



Reply via email to