From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bzip2-devel-return-4-listarch-bzip2-devel=sourceware.org@sourceware.org>
Received: (qmail 76432 invoked by alias); 23 Jun 2019 22:59:44 -0000
Mailing-List: contact bzip2-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bzip2-devel@sourceware.org>
List-Help: <mailto:bzip2-devel-help@sourceware.org>
List-Subscribe: <mailto:bzip2-devel-subscribe@sourceware.org>
List-Id: <bzip2-devel.sourceware.org>
Sender: bzip2-devel-owner@sourceware.org
Received: (qmail 76423 invoked by uid 89); 23 Jun 2019 22:59:44 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-19.1 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 spammy=HX-Languages-Length:1105
X-Spam-Status: No, score=-19.1 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org
X-Spam-Level: 
X-HELO: gnu.wildebeest.org
From: Mark Wielaard <mark@klomp.org>
To: bzip2-devel@sourceware.org
Cc: Cedric Buissart <cbuissar@redhat.com>,
	=?UTF-8?q?Jakub=20Marti=C5=A1ko?= <jamartis@redhat.com>,
	Armin Kuster <akuster@mvista.com>,
	Mark Wielaard <mark@klomp.org>
Subject: [PATCH] bzip2recover: Fix use after free issue with outFile.
Date: Tue, 01 Jan 2019 00:00:00 -0000
Message-Id: <1561330775-17190-1-git-send-email-mark@klomp.org>
X-Mailer: git-send-email 1.8.3.1
X-Spam-Flag: NO
X-SW-Source: 2019-q2/txt/msg00003.txt.bz2

Hi,

bzip2 lost its domain and got a new home at https://sourceware.org/bzip2/
It also didn't see a release for a very long time. Causing various patches
used by distros to not have been integrated upstream. We are trying to
collect them all and do a new release.

The following patch comes from Fedora.
Please let us know if we missed some others.

Thanks,

Mark


bzip2recover.c (main): Make sure to set outFile to NULL when done.

This was reported as CVE-2016-3189 and found in multiple distributions.
https://seclists.org/oss-sec/2016/q2/568

Some more analysis can be found in:
https://bugzilla.redhat.com/show_bug.cgi?id=1319648
---
 bzip2recover.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bzip2recover.c b/bzip2recover.c
index 1a70e04..a955d60 100644
--- a/bzip2recover.c
+++ b/bzip2recover.c
@@ -458,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv )
             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
             bsPutUInt32 ( bsWr, blockCRC );
             bsClose ( bsWr );
+            outFile = NULL;
          }
          if (wrBlock >= rbCtr) break;
          wrBlock++;
-- 
1.8.3.1