bzip2: race condition and infinite loop [LWN.net]

Package(s):

bzip2

CVE #(s):

CAN-2005-0953 CAN-2005-1260

Created:

May 17, 2005

Updated:

January 10, 2007

Description:

A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.

Alerts:

rPath	rPSA-2007-0004-1	bzip2	2007-01-09
Debian	DSA-741-1	bzip2	2005-07-07
Red Hat	RHSA-2005:474-01	bzip2	2005-06-16
OpenPKG	OpenPKG-SA-2005.008	bzip2	2005-06-10
SuSE	SUSE-SR:2005:015	multi	2005-06-07
Debian	DSA-730-1	bzip2	2005-05-27
Mandriva	MDKSA-2005:091	bzip2	2005-05-18
Ubuntu	USN-127-1	bzip2	2005-05-17

to post comments

bzip2: race condition and infinite loop

Posted May 26, 2005 19:32 UTC (Thu) by landley (guest, #6789) [Link] (1 responses)

If it's the same infinite loop bug I hit, I first reported it a year and a half ago, while rewriting bzip2 for the busybox project:

http://busybox.net/lists/busybox/2003-November/009878.html

I emailed Julian Seward about it at the time...

slightly off-topic: Smirky comments in jest

Posted Jan 15, 2007 4:40 UTC (Mon) by pr1268 (guest, #24648) [Link]

crap.c? Nice module naming standards! Reminds me of my C code.

We discussed the concept of "reverse compression" in a graduate CS course I took this past Fall, but 44 bytes → 500 MB takes the cake. (Never mind that it hadn't finished compressing yet.) ;-)

Thank you for testing the fix and following up with it.