[Security] Shipped source code is vulnerable to CVE-2019-12900

[hasufell]

• CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
• upstream patch: https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184
• code in this repo:

  bzlib/cbits/decompress.c

  Line 290 in 6228696

  if (nSelectors < 1) RETURN(BZ_DATA_ERROR);

Although it is reported that the vulnerability is not actually exploitable (under current compilers): https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/

How much of that is true with current compilers on different platforms, configurations and compilation flags is not clear to me.

[Bodigrim]

Shall we move this discussion to https://github.com/haskell/bzlib, which is kinda an upstream repo?

[hasufell]

I have no idea. The cabal file references this repo.

[phadej]

That's because the latest release is NMU from 2020 haskell-infra/hackage-trustees#262

I'd suggest you take over the package. I doubt Duncan (who is the only in uploader group at the moment) could complain.

In particular, I also doubt that Duncan will notice any GitHub discussion, here or in haskell/bzlib (AFAIK he doesn't have GitHub notifications enabled). You should sent him an email.

[Bodigrim]

In particular, I also doubt that Duncan will notice any GitHub discussion, here or in haskell/bzlib (AFAIK he doesn't have GitHub notifications enabled). You should sent him an email.

I asked Duncan by email for bzlib takeover twice in 2023, but he never replied. Let me send a takeover request later today.

[Bodigrim]

Requests sent:

• https://mail.haskell.org/pipermail/haskell-cafe/2024-March/136622.html
• https://mail.haskell.org/pipermail/libraries/2024-March/031660.html

[Bodigrim]

All set now, Duncan granted me upload rights: https://hackage.haskell.org/package/bzlib/maintainers/

@hasufell let's continue at https://github.com/haskell/bzlib please.

[Bodigrim]

@phadej shall we archive this repo?