CVE-2010-0405

Publication date 20 September 2010

Last updated 24 July 2024

Ubuntu priority

Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
bzip2	10.04 LTS lucid	Fixed 1.0.5-4ubuntu0.1
	9.10 karmic	Fixed 1.0.5-3ubuntu0.1
	9.04 jaunty	Fixed 1.0.5-1ubuntu1.1
	8.04 LTS hardy	Fixed 1.0.4-2ubuntu4.1
	6.06 LTS dapper	Fixed 1.0.3-0ubuntu2.2
clamav	10.04 LTS lucid	Fixed 0.96.1+dfsg-0ubuntu0.10.04.2
	9.10 karmic	Fixed 0.95.3+dfsg-1ubuntu0.09.10.3
	9.04 jaunty	Fixed 0.95.3+dfsg-1ubuntu0.09.04.3
	8.04 LTS hardy	Fixed 0.95.3+dfsg-1ubuntu0.09.04~hardy2.5
	6.06 LTS dapper	Fixed 0.95.3+dfsg-1ubuntu0.09.04~dapper4.1
dpkg	10.04 LTS lucid	Fixed 1.15.5.6ubuntu4.3
	9.10 karmic	Fixed 1.15.4ubuntu2.2
	9.04 jaunty	Fixed 1.14.24ubuntu1.2
	8.04 LTS hardy	Fixed 1.14.16.6ubuntu4.2
	6.06 LTS dapper	Fixed 1.13.11ubuntu7.2
dump	10.04 LTS lucid	Fixed 0.4b42-1ubuntu0.10.04.1
	9.10 karmic	Fixed 0.4b42-1ubuntu0.9.10.1
	9.04 jaunty	Fixed 0.4b41-6ubuntu0.1
	8.04 LTS hardy	Fixed 0.4b41-5ubuntu0.1
	6.06 LTS dapper	Fixed 0.4b41-2ubuntu0.1

Notes

jdstrand

dump and dpkg use a statically linked bzip2 so simply need to be recompiled

References

Related Ubuntu Security Notices (USN)

USN-986-2
ClamAV vulnerability
20 September 2010

USN-986-1
bzip2 vulnerability
20 September 2010

USN-986-3
dpkg vulnerability
20 September 2010

Other references

https://www.cve.org/CVERecord?id=CVE-2010-0405