-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-004 ================================= Topic: bzip2(1) Multiple issues Version: NetBSD-current: affected NetBSD 4.0: affected NetBSD 3.1.*: affected NetBSD 3.1: affected NetBSD 3.0: affected NetBSD 3.0.*: affected Severity: Denial of Service and Race Condition Fixed: NetBSD-current: March 18, 2008 NetBSD-4 branch: March 24, 2008 (4.1 will include the fix) NetBSD-4-0 branch: March 24, 2008 (4.0.1 will include the fix) NetBSD-3-1 branch: March 26, 2008 (3.1.2 will include the fix) NetBSD-3-0 branch: March 26, 2008 (3.0.4 will include the fix) NetBSD-3 branch: March 26, 2008 (3.2 will include the fix) pkgsrc: bzip2-1.0.5 corrects the issue Abstract ======== Multiple issues have been found with the version of bzip2 that ships with NetBSD 3.x, NetBSD 4.x and NetBSD-current. In order to address all these issues bzip2 has been updated to the latest version currently available which contains fixes for these issues. The two known security issues included a race condition and a denial of service. These vulnerabilities have been assigned CVE-2008-1372 for the denial of service and CVE-2005-0953 for the race condition. Technical Details ================= The race condition may allow an attacker to modify the permissions on an existing file owned by a user when a user extracts a crafted bzip2 compressed file. The attacker must have access to the directory in which the file is being decompressed to in order to exploit this issue. An attacker may be able to crash bzip2 by supplying a user with a crafted bzip2 compressed file. Solutions and Workarounds ========================= It is recommended that NetBSD users of vulnerable versions update their binaries. The following instructions describe how to upgrade your bzip2(1) binaries by updating your source tree and rebuilding and installing a new version of bzip2(1). * NetBSD-current: Systems running NetBSD-current dated from before 2008-03-18 should be upgraded to NetBSD-current dated 2008-03-19 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): dist/bzip2 distrib/sets/lists/base/shl.mi distrib/sets/lists/man/mi distrib/sets/lists/misc/mi doc/3RDPARTY lib/libbz2/Makefile lib/libbz2/shlib_version To update from CVS, re-build, and re-install bzip2: # cd src # cvs update -d -P dist/bzip2 # cvs update \ distrib/sets/lists/base/shl.mi \ distrib/sets/lists/man/mi \ distrib/sets/lists/misc/mi \ doc/3RDPARTY \ lib/libbz2/Makefile \ lib/libbz2/shlib_version # cd lib/libbz2 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # rm -f /usr/lib/libbz2.so.1.0 # cd ../../usr.bin/bzip2 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../usr.bin/bzip2recover # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-03-24 should be upgraded from NetBSD 4.* sources dated 2008-03-25 or later. The following files/directories need to be updated from the netbsd-4 or netbsd-4-0 branches: dist/bzip2 distrib/sets/lists/base/shl.mi distrib/sets/lists/man/mi distrib/sets/lists/misc/mi doc/3RDPARTY lib/libbz2/Makefile lib/libbz2/shlib_version To update from CVS, re-build, and re-install bzip2: # cd src # cvs update -d -P -r dist/bzip2 # cvs update -r \ distrib/sets/lists/base/shl.mi \ distrib/sets/lists/man/mi \ distrib/sets/lists/misc/mi \ doc/3RDPARTY \ lib/libbz2/Makefile \ lib/libbz2/shlib_version # cd lib/libbz2 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # rm -f /usr/lib/libbz2.so.1.0 # cd ../../usr.bin/bzip2 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../usr.bin/bzip2recover # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2008-03-26 should be upgraded from NetBSD 3.* sources dated 2008-03-27 or later. The following files/directories need to be updated from the netbsd-3, netbsd-3-0 or netbsd-3-1 branches: dist/bzip2 distrib/sets/lists/base/shl.mi distrib/sets/lists/man/mi distrib/sets/lists/misc/mi doc/3RDPARTY lib/libbz2/Makefile lib/libbz2/shlib_version To update from CVS, re-build, and re-install bzip2: # cd src # cvs update -d -P -r dist/bzip2 # cvs update -r \ distrib/sets/lists/base/shl.mi \ distrib/sets/lists/man/mi \ distrib/sets/lists/misc/mi \ doc/3RDPARTY \ lib/libbz2/Makefile \ lib/libbz2/shlib_version # cd lib/libbz2 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # rm -f /usr/lib/libbz2.so.1.0 # cd ../../usr.bin/bzip2 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../usr.bin/bzip2recover # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Christos Zoulas for importing the fixes into HEAD. Revision History ================ 2008-04-21 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2008-004.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQCVAwUBSAUSHj5Ru2/4N2IFAQIO7wP/bP2okQsZUoLy0Tw/5EFLui7LFcjTR13H Y5mOyvCQnPOFlJGbEOo1xUdN0ZNjIhsVIgGvo4ErFhG/bSWndFrg5YZbWxeFE34/ lu1laER9UVXbZp3R88beRe8zjz9GCewjjQSYn9PnR8VE/QxZHr4mrY7YENyhJOcw Rm615QLhJoA= =KOx2 -----END PGP SIGNATURE-----