CVE-2010-0405

Publication date 20 September 2010

Last updated 24 July 2024

Ubuntu priority

Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
bzip2	10.04 LTS lucid	Fixed 1.0.5-4ubuntu0.1
	9.10 karmic	Fixed 1.0.5-3ubuntu0.1
	9.04 jaunty	Fixed 1.0.5-1ubuntu1.1
	8.04 LTS hardy	Fixed 1.0.4-2ubuntu4.1
	6.06 LTS dapper	Fixed 1.0.3-0ubuntu2.2
clamav	10.04 LTS lucid	Fixed 0.96.1+dfsg-0ubuntu0.10.04.2
	9.10 karmic	Fixed 0.95.3+dfsg-1ubuntu0.09.10.3
	9.04 jaunty	Fixed 0.95.3+dfsg-1ubuntu0.09.04.3
	8.04 LTS hardy	Fixed 0.95.3+dfsg-1ubuntu0.09.04~hardy2.5
	6.06 LTS dapper	Fixed 0.95.3+dfsg-1ubuntu0.09.04~dapper4.1
dpkg	10.04 LTS lucid	Fixed 1.15.5.6ubuntu4.3
	9.10 karmic	Fixed 1.15.4ubuntu2.2
	9.04 jaunty	Fixed 1.14.24ubuntu1.2
	8.04 LTS hardy	Fixed 1.14.16.6ubuntu4.2
	6.06 LTS dapper	Fixed 1.13.11ubuntu7.2
dump	10.04 LTS lucid	Fixed 0.4b42-1ubuntu0.10.04.1
	9.10 karmic	Fixed 0.4b42-1ubuntu0.9.10.1
	9.04 jaunty	Fixed 0.4b41-6ubuntu0.1
	8.04 LTS hardy	Fixed 0.4b41-5ubuntu0.1
	6.06 LTS dapper	Fixed 0.4b41-2ubuntu0.1

Notes

jdstrand

dump and dpkg use a statically linked bzip2 so simply need to be recompiled

References

Related Ubuntu Security Notices (USN)

USN-986-2
ClamAV vulnerability
20 September 2010

USN-986-1
bzip2 vulnerability
20 September 2010

USN-986-3
dpkg vulnerability
20 September 2010

Other references

https://www.cve.org/CVERecord?id=CVE-2010-0405