On Tue, 2019-07-09 at 22:06 +0200, Salvatore Bonaccorso wrote: > The patch seems to have evolved to > https://sourceware.org/ml/bzip2-devel/2019-q3/msg00007.html. Were > there any more issues found? Should downstream distros who picked up > the CVE-2019-12900 safely include this patch?
Yes. It was just committed upstream: https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13 No other issues were found. But some time was spend creating and integrating a new testsuite: https://sourceware.org/git/bzip2-tests.git with the buildbot: https://builder.wildebeest.org/buildbot/#/builders?tags=bzip2 To make sure we didn't overlook any other issues. We are now looking at better integration with some fuzzers to catch any other issues. Expect a 1.0.8 release soon (days, not weeks) with the patch and some other small fixes. Cheers, Mark
