bzip2: race condition and infinite loop [LWN.net]

Package(s):

bzip2

CVE #(s):

CAN-2005-0953 CAN-2005-1260

Created:

May 17, 2005

Updated:

January 10, 2007

Description:

A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.

Alerts:

rPath	rPSA-2007-0004-1	2007-01-09
Debian	DSA-741-1	2005-07-07
Red Hat	RHSA-2005:474-01	2005-06-16
OpenPKG	OpenPKG-SA-2005.008	2005-06-10
SuSE	SUSE-SR:2005:015	2005-06-07
Debian	DSA-730-1	2005-05-27
Mandriva	MDKSA-2005:091	2005-05-18
Ubuntu	USN-127-1	2005-05-17

(Log in to post comments)

bzip2: race condition and infinite loop

Posted May 26, 2005 19:32 UTC (Thu) by landley (subscriber, #6789) [Link]

If it's the same infinite loop bug I hit, I first reported it a year and a half ago, while rewriting bzip2 for the busybox project:

http://busybox.net/lists/busybox/2003-November/009878.html

I emailed Julian Seward about it at the time...

slightly off-topic: Smirky comments in jest

Posted Jan 15, 2007 4:40 UTC (Mon) by pr1268 (subscriber, #24648) [Link]

crap.c? Nice module naming standards! Reminds me of my C code.

We discussed the concept of "reverse compression" in a graduate CS course I took this past Fall, but 44 bytes → 500 MB takes the cake. (Never mind that it hadn't finished compressing yet.) ;-)

Thank you for testing the fix and following up with it.