From b5c16693ddd7820f3247da69d79b02699b6be10e Mon Sep 17 00:00:00 2001 From: gordon Date: Tue, 6 Aug 2019 17:09:47 +0000 Subject: [PATCH] Fix multiple vulnerabilities in bzip2. Approved by: so Security: FreeBSD-SA-19:18.bzip2 Security: CVE-2016-3189 Security: CVE-2019-12900 --- contrib/bzip2/CHANGES | 17 +++++++++-- contrib/bzip2/LICENSE | 4 +-- contrib/bzip2/README | 36 +++++------------------ contrib/bzip2/README.COMPILATION.PROBLEMS | 6 ++-- contrib/bzip2/blocksort.c | 10 +++---- contrib/bzip2/bzip2.1 | 8 ++--- contrib/bzip2/bzip2.c | 30 ++++++++++--------- contrib/bzip2/bzip2recover.c | 10 ++++--- contrib/bzip2/bzlib.c | 6 ++-- contrib/bzip2/bzlib.h | 4 +-- contrib/bzip2/bzlib_private.h | 6 ++-- contrib/bzip2/compress.c | 4 +-- contrib/bzip2/crctable.c | 4 +-- contrib/bzip2/decompress.c | 8 ++--- contrib/bzip2/huffman.c | 4 +-- contrib/bzip2/randtable.c | 4 +-- contrib/bzip2/spewG.c | 4 +-- contrib/bzip2/unzcrash.c | 4 +-- contrib/bzip2/words2 | 2 +- 19 files changed, 84 insertions(+), 87 deletions(-) diff --git a/contrib/bzip2/CHANGES b/contrib/bzip2/CHANGES index 81e97ca6fa2..d9b4c05c52c 100644 --- a/contrib/bzip2/CHANGES +++ b/contrib/bzip2/CHANGES @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -325,3 +325,16 @@ Security fix only. Fixes CERT-FI 20469 as it applies to bzip2. Izdebski. * Make the documentation build on Ubuntu 10.04 + +1.0.7 (27 Jun 19) +~~~~~~~~~~~~~~~~~ + +* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH + +* bzip2: Fix return value when combining --test,-t and -q. + +* bzip2recover: Fix buffer overflow for large argv[0] + +* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189) + +* Make sure nSelectors is not out of range (CVE-2019-12900) diff --git a/contrib/bzip2/LICENSE b/contrib/bzip2/LICENSE index cc614178cf7..95f9598f847 100644 --- a/contrib/bzip2/LICENSE +++ b/contrib/bzip2/LICENSE @@ -36,7 +36,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -Julian Seward, jseward@bzip.org -bzip2/libbzip2 version 1.0.6 of 6 September 2010 +Julian Seward, jseward@acm.org +bzip2/libbzip2 version 1.0.7 of 27 June 2019 -------------------------------------------------------------------------- diff --git a/contrib/bzip2/README b/contrib/bzip2/README index 9fb0f636013..64873f9826d 100644 --- a/contrib/bzip2/README +++ b/contrib/bzip2/README @@ -6,8 +6,8 @@ This version is fully compatible with the previous public releases. This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.6 of 6 September 2010 -Copyright (C) 1996-2010 Julian Seward +bzip2/libbzip2 version 1.0.7 of 27 June 2019 +Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in this file. @@ -73,7 +73,7 @@ HOW TO BUILD -- Windows 95, NT, DOS, Mac, etc. It's difficult for me to support compilation on all these platforms. My approach is to collect binaries for these platforms, and put them -on the master web site (http://www.bzip.org). Look there. However +on the master web site (https://sourceware.org/bzip2/). Look there. However (FWIW), bzip2-1.0.X is very standard ANSI C and should compile unmodified with MS Visual C. If you have difficulties building, you might want to read README.COMPILATION.PROBLEMS. @@ -161,43 +161,22 @@ WHAT'S NEW IN 0.9.5 ? * Many small improvements in file and flag handling. * A Y2K statement. -WHAT'S NEW IN 1.0.0 ? +WHAT'S NEW IN 1.0.x ? See the CHANGES file. -WHAT'S NEW IN 1.0.2 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.3 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.4 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.5 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.6 ? - - See the CHANGES file. - - I hope you find bzip2 useful. Feel free to contact me at - jseward@bzip.org + jseward@acm.org if you have any suggestions or queries. Many people mailed me with comments, suggestions and patches after the releases of bzip-0.15, bzip-0.21, and bzip2 versions 0.1pl2, 0.9.0, 0.9.5, 1.0.0, 1.0.1, 1.0.2 and 1.0.3, and the changes in bzip2 are largely a result of this feedback. I thank you for your comments. -bzip2's "home" is http://www.bzip.org/ +bzip2's "home" is https://sourceware.org/bzip2/ Julian Seward -jseward@bzip.org +jseward@acm.org Cambridge, UK. 18 July 1996 (version 0.15) @@ -213,3 +192,4 @@ Cambridge, UK. 20 December 2006 (bzip2, version 1.0.4) 10 December 2007 (bzip2, version 1.0.5) 6 Sept 2010 (bzip2, version 1.0.6) +27 June 2019 (bzip2, version 1.0.7) diff --git a/contrib/bzip2/README.COMPILATION.PROBLEMS b/contrib/bzip2/README.COMPILATION.PROBLEMS index 667d0d6dfe4..9e6ac5a1c88 100644 --- a/contrib/bzip2/README.COMPILATION.PROBLEMS +++ b/contrib/bzip2/README.COMPILATION.PROBLEMS @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.6 of 6 September 2010 -Copyright (C) 1996-2010 Julian Seward +bzip2/libbzip2 version 1.0.7 of 27 June 2019 +Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -12,7 +12,7 @@ This program is released under the terms of the license contained in the file LICENSE. ------------------------------------------------------------------ -bzip2-1.0.6 should compile without problems on the vast majority of +bzip2 should compile without problems on the vast majority of platforms. Using the supplied Makefile, I've built and tested it myself for x86-linux and amd64-linux. With makefile.msc, Visual C++ 6.0 and nmake, you can build a native Win32 version too. Large file diff --git a/contrib/bzip2/blocksort.c b/contrib/bzip2/blocksort.c index d0d662cd4e9..26579017af1 100644 --- a/contrib/bzip2/blocksort.c +++ b/contrib/bzip2/blocksort.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -202,9 +202,9 @@ void fallbackQSort3 ( UInt32* fmap, bhtab [ 0 .. 2+(nblock/32) ] destroyed */ -#define SET_BH(zz) bhtab[(zz) >> 5] |= (1 << ((zz) & 31)) -#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~(1 << ((zz) & 31)) -#define ISSET_BH(zz) (bhtab[(zz) >> 5] & (1 << ((zz) & 31))) +#define SET_BH(zz) bhtab[(zz) >> 5] |= ((UInt32)1 << ((zz) & 31)) +#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~((UInt32)1 << ((zz) & 31)) +#define ISSET_BH(zz) (bhtab[(zz) >> 5] & ((UInt32)1 << ((zz) & 31))) #define WORD_BH(zz) bhtab[(zz) >> 5] #define UNALIGNED_BH(zz) ((zz) & 0x01f) diff --git a/contrib/bzip2/bzip2.1 b/contrib/bzip2/bzip2.1 index 7bd45f0eaf8..87c2ce8d9cb 100644 --- a/contrib/bzip2/bzip2.1 +++ b/contrib/bzip2/bzip2.1 @@ -1,6 +1,6 @@ .TH bzip2 1 .SH NAME -bzip2, bunzip2 \- a block-sorting file compressor, v1.0.6 +bzip2, bunzip2 \- a block-sorting file compressor, v1.0.7 .br bzcat \- decompresses files to stdout .br @@ -404,7 +404,7 @@ I/O error messages are not as helpful as they could be. tries hard to detect I/O errors and exit cleanly, but the details of what the problem is sometimes seem rather misleading. -This manual page pertains to version 1.0.6 of +This manual page pertains to version 1.0.7 of .I bzip2. Compressed data created by this version is entirely forwards and backwards compatible with the previous public releases, versions @@ -426,9 +426,9 @@ with MaybeUInt64 set to be an unsigned 64-bit integer. .SH AUTHOR -Julian Seward, jsewardbzip.org. +Julian Seward, jseward@acm.org. -http://www.bzip.org +https://sourceware.org/bzip2/ The ideas embodied in .I bzip2 diff --git a/contrib/bzip2/bzip2.c b/contrib/bzip2/bzip2.c index e6e83699195..c732669429a 100644 --- a/contrib/bzip2/bzip2.c +++ b/contrib/bzip2/bzip2.c @@ -7,8 +7,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -554,7 +554,7 @@ static Bool testStream ( FILE *zStream ) { BZFILE* bzf = NULL; - Int32 bzerr, bzerr_dummy, ret, nread, streamNo, i; + Int32 bzerr, bzerr_dummy, ret, streamNo, i; UChar obuf[5000]; UChar unused[BZ_MAX_UNUSED]; Int32 nUnused; @@ -577,7 +577,7 @@ Bool testStream ( FILE *zStream ) streamNo++; while (bzerr == BZ_OK) { - nread = BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); + BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); if (bzerr == BZ_DATA_ERROR_MAGIC) goto errhandler; } if (bzerr != BZ_STREAM_END) goto errhandler; @@ -749,7 +749,7 @@ void panic ( const Char* s ) "\n%s: PANIC -- internal consistency error:\n" "\t%s\n" "\tThis is a BUG. Please report it to me at:\n" - "\tjseward@bzip.org\n", + "\tjseward@acm.org\n", progName, s ); showFileNames(); cleanUpAndFail( 3 ); @@ -829,7 +829,7 @@ void mySIGSEGVorSIGBUScatcher ( IntNative n ) " The user's manual, Section 4.3, has more info on (1) and (2).\n" " \n" " If you suspect this is a bug in bzip2, or are unsure about (1)\n" - " or (2), feel free to report it to me at: jseward@bzip.org.\n" + " or (2), feel free to report it to me at: jseward@acm.org.\n" " Section 4.3 of the user's manual describes the info a useful\n" " bug report should have. If the manual is available on your\n" " system, please try and read it before mailing me. If you don't\n" @@ -852,7 +852,7 @@ void mySIGSEGVorSIGBUScatcher ( IntNative n ) " The user's manual, Section 4.3, has more info on (2) and (3).\n" " \n" " If you suspect this is a bug in bzip2, or are unsure about (2)\n" - " or (3), feel free to report it to me at: jseward@bzip.org.\n" + " or (3), feel free to report it to me at: jseward@acm.org.\n" " Section 4.3 of the user's manual describes the info a useful\n" " bug report should have. If the manual is available on your\n" " system, please try and read it before mailing me. If you don't\n" @@ -1609,7 +1609,7 @@ void license ( void ) " \n" " This program is free software; you can redistribute it and/or modify\n" " it under the terms set out in the LICENSE file, which is included\n" - " in the bzip2-1.0.6 source distribution.\n" + " in the bzip2 source distribution.\n" " \n" " This program is distributed in the hope that it will be useful,\n" " but WITHOUT ANY WARRANTY; without even the implied warranty of\n" @@ -2005,12 +2005,14 @@ IntNative main ( IntNative argc, Char *argv[] ) testf ( aa->name ); } } - if (testFailsExist && noisy) { - fprintf ( stderr, - "\n" - "You can use the `bzip2recover' program to attempt to recover\n" - "data from undamaged sections of corrupted files.\n\n" - ); + if (testFailsExist) { + if (noisy) { + fprintf ( stderr, + "\n" + "You can use the `bzip2recover' program to attempt to recover\n" + "data from undamaged sections of corrupted files.\n\n" + ); + } setExit(2); exit(exitValue); } diff --git a/contrib/bzip2/bzip2recover.c b/contrib/bzip2/bzip2recover.c index bf3bca5b2ed..45de3112753 100644 --- a/contrib/bzip2/bzip2recover.c +++ b/contrib/bzip2/bzip2recover.c @@ -7,8 +7,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -309,11 +309,12 @@ Int32 main ( Int32 argc, Char** argv ) UInt32 buffHi, buffLo, blockCRC; Char* p; - strcpy ( progName, argv[0] ); + strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); + progName[BZ_MAX_FILENAME-1]='\0'; inFileName[0] = outFileName[0] = 0; fprintf ( stderr, - "bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.\n" ); + "bzip2recover 1.0.7: extracts blocks from damaged .bz2 files.\n" ); if (argc != 2) { fprintf ( stderr, "%s: usage is `%s damaged_file_name'.\n", @@ -457,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv ) bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); bsPutUInt32 ( bsWr, blockCRC ); bsClose ( bsWr ); + outFile = NULL; } if (wrBlock >= rbCtr) break; wrBlock++; diff --git a/contrib/bzip2/bzlib.c b/contrib/bzip2/bzlib.c index c02d076ccdf..82dd0bad65f 100644 --- a/contrib/bzip2/bzlib.c +++ b/contrib/bzip2/bzlib.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -47,7 +47,7 @@ void BZ2_bz__AssertH__fail ( int errcode ) fprintf(stderr, "\n\nbzip2/libbzip2: internal error number %d.\n" "This is a bug in bzip2/libbzip2, %s.\n" - "Please report it to me at: jseward@bzip.org. If this happened\n" + "Please report it to me at: jseward@acm.org. If this happened\n" "when you were using some program which uses libbzip2 as a\n" "component, you should also report this bug to the author(s)\n" "of that program. Please make an effort to report this bug;\n" diff --git a/contrib/bzip2/bzlib.h b/contrib/bzip2/bzlib.h index 8277123da8c..8cf07918f8b 100644 --- a/contrib/bzip2/bzlib.h +++ b/contrib/bzip2/bzlib.h @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/contrib/bzip2/bzlib_private.h b/contrib/bzip2/bzlib_private.h index 5d0217f4635..797555222d5 100644 --- a/contrib/bzip2/bzlib_private.h +++ b/contrib/bzip2/bzlib_private.h @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -36,7 +36,7 @@ /*-- General stuff. --*/ -#define BZ_VERSION "1.0.6, 6-Sept-2010" +#define BZ_VERSION "1.0.7, 27-Jun-2019" typedef char Char; typedef unsigned char Bool; diff --git a/contrib/bzip2/compress.c b/contrib/bzip2/compress.c index caf7696011b..237620d8589 100644 --- a/contrib/bzip2/compress.c +++ b/contrib/bzip2/compress.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/contrib/bzip2/crctable.c b/contrib/bzip2/crctable.c index 1fea7e946c5..746efac1cda 100644 --- a/contrib/bzip2/crctable.c +++ b/contrib/bzip2/crctable.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c index 311f5668f9a..20ce4936cdf 100644 --- a/contrib/bzip2/decompress.c +++ b/contrib/bzip2/decompress.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -285,9 +285,9 @@ Int32 BZ2_decompress ( DState* s ) /*--- Now the selectors ---*/ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); - if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR); GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); - if (nSelectors < 1) RETURN(BZ_DATA_ERROR); + if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); for (i = 0; i < nSelectors; i++) { j = 0; while (True) { diff --git a/contrib/bzip2/huffman.c b/contrib/bzip2/huffman.c index 2283fdbc5a1..0fd6fd762ca 100644 --- a/contrib/bzip2/huffman.c +++ b/contrib/bzip2/huffman.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/contrib/bzip2/randtable.c b/contrib/bzip2/randtable.c index 6d624599061..726d62f0ca0 100644 --- a/contrib/bzip2/randtable.c +++ b/contrib/bzip2/randtable.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/contrib/bzip2/spewG.c b/contrib/bzip2/spewG.c index 14a364938d4..320dc854beb 100644 --- a/contrib/bzip2/spewG.c +++ b/contrib/bzip2/spewG.c @@ -13,8 +13,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/contrib/bzip2/unzcrash.c b/contrib/bzip2/unzcrash.c index 7041da51c98..6e7c63198d0 100644 --- a/contrib/bzip2/unzcrash.c +++ b/contrib/bzip2/unzcrash.c @@ -17,8 +17,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/contrib/bzip2/words2 b/contrib/bzip2/words2 index caddcf42266..203ee39c4c2 100644 --- a/contrib/bzip2/words2 +++ b/contrib/bzip2/words2 @@ -1,5 +1,5 @@ Checking test results. If any of the four "cmp"s which follow report any differences, something is wrong. If you can't easily -figure out what, please let me know (jseward@bzip.org). +figure out what, please let me know (jseward@acm.org). -- 2.45.0