Advisories » MGASA-2016-0400

Updated bzip2 packages fix security vulnerability

Publication date: 26 Nov 2016
Modification date: 26 Nov 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3189

Description

A use-after-free flaw was found in bzip2recover, leading to a null
pointer dereference, or a write to a closed file descriptor. An attacker
could use this flaw by sending a specially crafted bzip2 file to recover
and force the program to crash (CVE-2016-3189).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18742
• http://openwall.com/lists/oss-security/2016/06/20/1
• https://bugzilla.redhat.com/show_bug.cgi?id=1319648
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189

SRPMS

5/core

• bzip2-1.0.6-7.1.mga5