bzip2 does not use the O_EXCL flag to create files during
decompression and does not warn the user if an existing file
would be overwritten, which could allow attackers to overwrite
files via a bzip2 archive.
bzip2 decompresses files with world-readable permissions
before setting the permissions to what is specified in the
bzip2 archive, which could allow local users to read the files
as they are being decompressed.
bzip2 uses the permissions of symbolic links instead of the
actual files when creating an archive, which could cause the
files to be extracted with less restrictive permissions than
intended.
