From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bzip2-devel-return-18-listarch-bzip2-devel=sourceware.org@sourceware.org>
Received: (qmail 122824 invoked by alias); 26 Jun 2019 15:16:22 -0000
Mailing-List: contact bzip2-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bzip2-devel@sourceware.org>
List-Help: <mailto:bzip2-devel-help@sourceware.org>
List-Subscribe: <mailto:bzip2-devel-subscribe@sourceware.org>
List-Id: <bzip2-devel.sourceware.org>
Sender: bzip2-devel-owner@sourceware.org
Received: (qmail 122814 invoked by uid 89); 26 Jun 2019 15:16:22 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,KAM_SHORT,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=polishing, HX-Languages-Length:1520, our
X-Spam-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,KAM_SHORT,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org
X-Spam-Level: 
X-HELO: mail-io1-f66.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:reply-to:from:date:message-id
         :subject:to:cc;
        bh=ckkz5KH7hlng37pJ4KLTLdpMo0fmsucfd2t2UvfDlco=;
        b=oRPDTdDyxNQHo00KQyRkvL31IAwJDBt4OIMvPhpmrsvSLvLbTTa2tYwP7LzDTi+UAf
         w12SFIXazFwSzURZ1USzxUWcYumxO8HFnKMAQFk7Gx2yXH9VL2x26fKVPaDbzd/MShyS
         37GCRsOvF0C3cuEqCplgO0bd+gfne3rk+VftyPu1AizSJGLCKk9aS9sjuZqv8VddOVJ4
         fJt0zYJipUmDMBK4qJvoqRIjyt1rM4fDx0VycSOxdJl9l1vCHqZE7BdEznHQ+6pVa8DQ
         szXUkBrMvA/TMOhWx5macv8Z2LFD06kyFUdhTHc6HMgRG3TtFcT4MO8ezuKSSSIRxLwA
         2QjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to:cc;
        bh=ckkz5KH7hlng37pJ4KLTLdpMo0fmsucfd2t2UvfDlco=;
        b=ZyWAiM8F0hq0iCi46Y63zVN4jthUCdns1FFlaLCAZELSi81m1H5OH8puEU44ygUP20
         Ph2pgXjsHPW2+3/Wx5PSg0hPdaE0V2FltBdHEl4DZ4rD/ta/vNf3FBvMxset3R/5rn5U
         /xrAYivn1tGmcKqQz01sYrz7K8au+9gHRppzfiLPA5wo9+qTLTu90Tv1XIThBs59FB1n
         aaph47dUVJqcHs7iQN9mMd5HltTAF1SmhNGhxGITNLfQ7eRrioQrvHoYsi2rUeTUfn8r
         4wfgeLdOqj1lnKXBg/30mL0bSwuRramlFOAVsreYXwlYnfh/wqDAQSLZTM6Cj/QGEup9
         RXxQ==
X-Gm-Message-State: APjAAAWuFycEpI0mDFqTxqL7CYz7lB2cpJJUPuVmemVSCVBA2LDEtvYi
	XLBpiB/cpoURG4yUgTn+lSGhksyde7EeeczRG7/IuBTj
X-Google-Smtp-Source: APXvYqyB3dpamviuIkH67Nj7N4h0823phFrpP0lOeteIVfuPqkvf28+iOOGOcow00+SNzniCpb4Ds7RRjSvSU17AJeI=
X-Received: by 2002:a5d:9b1a:: with SMTP id y26mr5688209ion.238.1561562170756;
 Wed, 26 Jun 2019 08:16:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAH8yC8=vPyxghZML-sKPdoqKDzjadJ7Pinr2K_RNC3YW5sHkHA@mail.gmail.com>
 <fb3f4744252ab965f64ad27fd902ac00c96e777b.camel@klomp.org>
In-Reply-To: <fb3f4744252ab965f64ad27fd902ac00c96e777b.camel@klomp.org>
Reply-To: noloader@gmail.com
From: Jeffrey Walton <noloader@gmail.com>
Date: Tue, 01 Jan 2019 00:00:00 -0000
Message-ID: <CAH8yC8nzC0gwiVP8rjpxhGtGom-+-+Qq0+7FRTQo-zSTo53FNw@mail.gmail.com>
Subject: Re: Bzip2 download and CVE-2019-12900 fix?
To: Mark Wielaard <mark@klomp.org>
Cc: bzip2-devel@sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-SW-Source: 2019-q2/txt/msg00017.txt.bz2

On Wed, Jun 26, 2019 at 10:21 AM Mark Wielaard <mark@klomp.org> wrote:
>
> On Wed, 2019-06-26 at 10:10 -0400, Jeffrey Walton wrote:
> > Bzip2 downloads are available at ftp://sourceware.org/pub/bzip2/ .
> > The
> > download is 1.0.6 and dated March 2019.
> >
> > My question is, does the latest download include the fixes for CVE-
> > 2019-12900?
>
> No, not yet in 1.0.6. But everything is in git:
> https://sourceware.org/git/?p=bzip2.git;a=summary
> Including the CVE-2019-12900 fix:
>
> https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184
>
> > If not, when can we expect a patch or new download?
>
> Hopefully today.
> The release script is ready:
> https://sourceware.org/ml/bzip2-devel/2019-q2/msg00009.html
>
> But there is some discussion on whether to synchronize with an
> alternative setup with newer build systems and other changes:
> https://sourceware.org/ml/bzip2-devel/2019-q2/msg00014.html

Thanks Mark.

There's a lot to the msg00014.html list message. I run with a patched
version of Bzip2. Makefile and Makefile-libbz2_so need some polishing
to get them to respect CFLAGS and LDFLAGS. Otherwise they ignore our
flags.

Also, the recipe for libbz2.so.1.0.6 breaks on non-Linux systems
because -Wl,-soname is a GNU ld thing.

You can get an idea of the Makefile changes by comparing with
https://github.com/noloader/bzip2-noloader. Also see
https://www.gnu.org/prep/standards/html_node/Command-Variables.html .

Jeff