From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bzip2-devel-return-17-listarch-bzip2-devel=sourceware.org@sourceware.org>
Received: (qmail 107863 invoked by alias); 26 Jun 2019 14:22:03 -0000
Mailing-List: contact bzip2-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bzip2-devel@sourceware.org>
List-Help: <mailto:bzip2-devel-help@sourceware.org>
List-Subscribe: <mailto:bzip2-devel-subscribe@sourceware.org>
List-Id: <bzip2-devel.sourceware.org>
Sender: bzip2-devel-owner@sourceware.org
Received: (qmail 107853 invoked by uid 89); 26 Jun 2019 14:22:02 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-6.4 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=walton, Walton, jeffrey
X-Spam-Status: No, score=-6.4 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org
X-Spam-Level: 
X-HELO: gnu.wildebeest.org
Message-ID: <fb3f4744252ab965f64ad27fd902ac00c96e777b.camel@klomp.org>
Subject: Re: Bzip2 download and CVE-2019-12900 fix?
From: Mark Wielaard <mark@klomp.org>
To: noloader@gmail.com, bzip2-devel@sourceware.org
Date: Tue, 01 Jan 2019 00:00:00 -0000
In-Reply-To: <CAH8yC8=vPyxghZML-sKPdoqKDzjadJ7Pinr2K_RNC3YW5sHkHA@mail.gmail.com>
References: 
	<CAH8yC8=vPyxghZML-sKPdoqKDzjadJ7Pinr2K_RNC3YW5sHkHA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Evolution 3.28.5 (3.28.5-2.el7) 
Mime-Version: 1.0
X-Spam-Flag: NO
X-SW-Source: 2019-q2/txt/msg00016.txt.bz2

On Wed, 2019-06-26 at 10:10 -0400, Jeffrey Walton wrote:
> Bzip2 downloads are available at ftp://sourceware.org/pub/bzip2/ .
> The
> download is 1.0.6 and dated March 2019.
>
> My question is, does the latest download include the fixes for CVE-
> 2019-12900?

No, not yet in 1.0.6. But everything is in git:
https://sourceware.org/git/?p=3Dbzip2.git;a=3Dsummary
Including the CVE-2019-12900 fix:

https://sourceware.org/git/?p=3Dbzip2.git;a=3Dcommit;h=3D7ed62bfb46e87a9e87=
8712603469440e6882b184

> If not, when can we expect a patch or new download?

Hopefully today.
The release script is ready:
https://sourceware.org/ml/bzip2-devel/2019-q2/msg00009.html

But there is some discussion on whether to synchronize with an
alternative setup with newer build systems and other changes:
https://sourceware.org/ml/bzip2-devel/2019-q2/msg00014.html

Cheers,

Mark