Hi, bzip2 lost its domain and got a new home at https://sourceware.org/bzip2/ It also didn't see a release for a very long time. Causing various patches used by distros to not have been integrated upstream. We are trying to collect them all and do a new release. The following patch comes from Fedora. Please let us know if we missed some others. Thanks, Mark bzip2recover.c (main): Make sure to set outFile to NULL when done. This was reported as CVE-2016-3189 and found in multiple distributions. https://seclists.org/oss-sec/2016/q2/568 Some more analysis can be found in: https://bugzilla.redhat.com/show_bug.cgi?id=1319648 --- bzip2recover.c | 1 + 1 file changed, 1 insertion(+) diff --git a/bzip2recover.c b/bzip2recover.c index 1a70e04..a955d60 100644 --- a/bzip2recover.c +++ b/bzip2recover.c @@ -458,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv ) bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); bsPutUInt32 ( bsWr, blockCRC ); bsClose ( bsWr ); + outFile = NULL; } if (wrBlock >= rbCtr) break; wrBlock++; -- 1.8.3.1