CVE-2008-1372

Summary

CVE	CVE-2008-1372
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2008-03-18 21:44:00 UTC
Updated	2018-10-11 20:32:00 UTC
Description	bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.

Risk And Classification

Problem Types: CWE-119

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Bzip	Bzip2	0.9	All	All	All
Application	Bzip	Bzip2	0.9.5a	All	All	All
Application	Bzip	Bzip2	0.9.5b	All	All	All
Application	Bzip	Bzip2	0.9.5c	All	All	All
Application	Bzip	Bzip2	0.9.5d	All	All	All
Application	Bzip	Bzip2	0.9_a	All	All	All
Application	Bzip	Bzip2	0.9_b	All	All	All
Application	Bzip	Bzip2	0.9_c	All	All	All
Application	Bzip	Bzip2	1.0	All	All	All
Application	Bzip	Bzip2	1.0.1	All	All	All
Application	Bzip	Bzip2	1.0.2	All	All	All
Application	Bzip	Bzip2	1.0.3	All	All	All
Application	Bzip	Bzip2	0.9	All	All	All
Application	Bzip	Bzip2	0.9.5a	All	All	All
Application	Bzip	Bzip2	0.9.5b	All	All	All
Application	Bzip	Bzip2	0.9.5c	All	All	All
Application	Bzip	Bzip2	0.9.5d	All	All	All
Application	Bzip	Bzip2	0.9_a	All	All	All
Application	Bzip	Bzip2	0.9_b	All	All	All
Application	Bzip	Bzip2	0.9_c	All	All	All
Application	Bzip	Bzip2	1.0	All	All	All
Application	Bzip	Bzip2	1.0.1	All	All	All
Application	Bzip	Bzip2	1.0.2	All	All	All
Application	Bzip	Bzip2	1.0.3	All	All	All

References

Reference	Source	Link	Tags
[security-announce] SUSE Security Summary Report SUSE-SR:200?8:011	SUSE	lists.opensuse.org
bzip2	CONFIRM	www.bzip.org
[SECURITY] Fedora 8 Update: bzip2-1.0.4-13.fc8	FEDORA	www.redhat.com
Slackware update for bzip2 - Advisories - Secunia	SECUNIA	secunia.com
bugs.gentoo.org/attachment.cgi	CONFIRM	bugs.gentoo.org
Gentoo Linux Documentation -- Analog: Denial of Service	GENTOO	security.gentoo.org
Support	REDHAT	www.redhat.com
VMware Knowledge Base - View Document	CONFIRM	kb.vmware.com
Gentoo update for bzip2 - Advisories - Secunia	SECUNIA	secunia.com
The Slackware Linux Project: Slackware Security Advisories	SLACKWARE	www.slackware.org
241786	SUNALERT	sunsolve.sun.com
Repository / Oval Repository	OVAL	oval.cisecurity.org
IPCop update for various packages - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
Red Hat update for bzip2 - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
bzip2 Unspecified File Handling Vulnerability	BID	www.securityfocus.com	Exploit
IPCop 1.4.19 / 1.4.20 released :: IPCop.org :: The bad packets stop here!	CONFIRM	www.ipcop.org
bzip2 Denial of Service Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com
NetBSD update for bzip2 - Advisories - Secunia	SECUNIA	secunia.com
www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive	MISC	www.ee.oulu.fi
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
USN-590-1: bzip2 vulnerability \| Ubuntu security notices	UBUNTU	usn.ubuntu.com
CERT-FI - CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats	MISC	www.cert.fi
Security Advisories \| Mandriva Linux	MANDRIVA	www.mandriva.com
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com
Repository / Oval Repository	OVAL	oval.cisecurity.org
Mandriva update for bzip2 - Advisories - Secunia	SECUNIA	secunia.com
Webmail - OVH	VUPEN	www.vupen.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
[SECURITY] Fedora 7 Update: bzip2-1.0.4-11.fc7	FEDORA	www.redhat.com
bzip2: Denial of Service — Gentoo Linux Documentation	GENTOO	www.gentoo.org
Fedora update for bzip2 - Advisories - Secunia	SECUNIA	secunia.com
VMware KB: ESX Server 3.0.2, Patch ESX-1006982: Security Update to the ESX Server Service Console Packages for bzip2	CONFIRM	kb.vmware.com
NetBSD-SA2008-004	NETBSD	ftp.netbsd.org
Bzip2 Bug Lets Remote Users Deny Service - SecurityTracker	SECTRACK	www.securitytracker.com
About the security content of Security Update 2009-003 / Mac OS X v10.5.8	CONFIRM	support.apple.com
Advisories:rPSA-2008-0118 - rPath Wiki	CONFIRM	wiki.rpath.com
VMware Knowledge Base - View Document	CONFIRM	kb.vmware.com
rPath update for bzip2 - Advisories - Secunia	SECUNIA	secunia.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
Sun Solaris update for bzip2 - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
CERT Vulnerability Notes Database	CERT-VN	www.kb.cert.org	US Government Resource
US-CERT Technical Cyber Security Alert TA09-218A -- Apple Updates for Multiple Vulnerabilities	CERT	www.us-cert.gov	US Government Resource
Ubuntu update for bzip2 - Advisories - Secunia	SECUNIA	secunia.com
APPLE-SA-2009-08-05-1 Security Update 2009-003 / Mac OS X v10.5.8	APPLE	lists.apple.com
Webmail - OVH	VUPEN	www.vupen.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2008-10-17	Joshua Bressers	Red Hat has re-evaluated the potential impact of this flaw and has released an update which corrects this behavior: http://rhn.redhat.com/errata/RHSA-2008-0893.html

There are currently no legacy QID mappings associated with this CVE.