pyrox.dev
bzip2: patch CVE-2019-12900
The vulnerability seems quite serious.
It isn't practical to use fetchpatch here due to bootstrapping,
so I just committed the small patch file.
+13
pkgs/tools/compression/bzip2/cve-2019-12900.patch
+13
pkgs/tools/compression/bzip2/cve-2019-12900.patch
···
···
1
+
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d
2
+
diff --git a/decompress.c b/decompress.c
3
+
--- a/decompress.c
4
+
+++ b/decompress.c
5
+
@@ -287,7 +287,7 @@
6
+
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
7
+
if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
8
+
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
9
+
- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
10
+
+ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
11
+
for (i = 0; i < nSelectors; i++) {
12
+
j = 0;
13
+
while (True) {