Bug#853760: unblock: bzip2/1.0.6-8.1

Salvatore Bonaccorso Tue, 31 Jan 2017 08:46:07 -0800

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Hi

Please unblock package bzip2

Ben Hutchings fixed #827744 (CVE-2016-3189) for bzip2 via a NMU to
unstable. Could you please unblock bzip2 to have the fix included in
stretch.

Changelog:

>bzip2 (1.0.6-8.1) unstable; urgency=medium
>
>  * Non-maintainer upload.
>  * bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
>
> -- Ben Hutchings <b...@decadent.org.uk>  Sun, 29 Jan 2017 18:30:31 +0000

unblock bzip2/1.0.6-8.1

Attached is the debdiff against the version currently in testing.

Regards,
Salvatore

diff -Nru bzip2-1.0.6/debian/changelog bzip2-1.0.6/debian/changelog
--- bzip2-1.0.6/debian/changelog        2015-05-19 21:37:53.000000000 +0200
+++ bzip2-1.0.6/debian/changelog        2017-01-29 19:30:31.000000000 +0100
@@ -1,3 +1,10 @@
+bzip2 (1.0.6-8.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
+
+ -- Ben Hutchings <b...@decadent.org.uk>  Sun, 29 Jan 2017 18:30:31 +0000
+
 bzip2 (1.0.6-8) unstable; urgency=medium
 
   * Remove Jorge Ernesto Guevara Cuenca from Uploaders, as agreed with him.
diff -Nru bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch 
bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch
--- bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch 1970-01-01 
01:00:00.000000000 +0100
+++ bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch 2017-01-29 
19:30:31.000000000 +0100
@@ -0,0 +1,17 @@
+Author: Jakub Martisko <jamar...@redhat.com>
+Date: Wed, 30 Mar 2016 10:22:27 +0200
+Description: bzip2recover: Fix potential use-after-free
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-3189
+Bug-Debian: https://bugs.debian.org/827744
+
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
diff -Nru bzip2-1.0.6/debian/patches/series bzip2-1.0.6/debian/patches/series
--- bzip2-1.0.6/debian/patches/series   2014-07-26 17:46:24.000000000 +0200
+++ bzip2-1.0.6/debian/patches/series   2017-01-29 19:30:31.000000000 +0100
@@ -1,3 +1,4 @@
 10-bzip2.1.patch
 20-legacy.patch
 30-bzip2-harden.patch
+bzip2recover-CVE-2016-3189.patch

Bug#853760: unblock: bzip2/1.0.6-8.1

Reply via email to