FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

bzip2 -- denial of service and permission race vulnerabilities

Affected packages
5.4 <= FreeBSD < 5.4_3
5.0 <= FreeBSD < 5.3_17
4.11 <= FreeBSD < 4.11_11
FreeBSD < 4.10_16
bzip2 < 1.0.3_1

Details

VuXML ID 197f444f-e8ef-11d9-b875-0001020eed82
Discovery 2005-03-30
Entry 2005-06-29
Modified 2016-08-09

Problem Description

Two problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions.

Impact

The first problem can cause bzip2 to extract a bzip2 archive to an infinitely large file. If bzip2 is used in automated processing of untrusted files this could be exploited by an attacker to create an denial-of-service situation by exhausting disk space or by consuming all available cpu time.

The second problem can allow a local attacker to change the permissions of local files owned by the user executing bzip2 providing that they have write access to the directory in which the file is being extracted.

Workaround

Do not uncompress bzip2 archives from untrusted sources and do not uncompress files in directories where untrusted users have write access.

References

CVE Name CVE-2005-0953
CVE Name CVE-2005-1260
FreeBSD Advisory SA-05:14.bzip2
URL http://scary.beasts.org/security/CESA-2005-002.txt