CVE-2019-12900

Name	CVE-2019-12900
Description	BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1833-1, DLA-1953-1, ELA-132-1, ELA-132-2, ELA-855-1
Debian Bugs	930886, 934359

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bzip2 (PTS)	jessie, jessie (lts)	1.0.6-7+deb8u2	fixed
	stretch (lts), stretch	1.0.6-8.1+deb9u1	fixed
	buster (security), buster, buster (lts)	1.0.6-9.2~deb10u2	fixed
	bullseye	1.0.8-4	fixed
	bookworm	1.0.8-5	fixed
	sid, trixie	1.0.8-6	fixed
clamav (PTS)	jessie, jessie (lts)	0.103.9+dfsg-0+deb8u1	fixed
	stretch (security)	0.103.6+dfsg-0+deb9u1	fixed
	stretch (lts), stretch	0.103.9+dfsg-0+deb9u1	fixed
	buster (security), buster, buster (lts)	0.103.9+dfsg-0+deb10u1	fixed
	bullseye	0.103.10+dfsg-0+deb11u1	fixed
	bookworm	1.0.7+dfsg-1~deb12u1	fixed
	sid, trixie	1.4.1+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
bzip2	source	wheezy	1.0.6-4+deb7u1		ELA-132-1
bzip2	source	jessie	1.0.6-7+deb8u1		DLA-1833-1
bzip2	source	stretch	1.0.6-8.1+deb9u1		ELA-855-1
bzip2	source	(unstable)	1.0.6-9.1			930886
clamav	source	wheezy	(unfixed)	end-of-life
clamav	source	jessie	0.101.4+dfsg-0+deb8u1		DLA-1953-1
clamav	source	stretch	0.101.4+dfsg-0+deb9u1
clamav	source	buster	0.101.4+dfsg-0+deb10u1
clamav	source	(unstable)	0.101.4+dfsg-1			934359

Notes

[stretch] - bzip2 <no-dsa> (Not exploitable; potential dangerous parts already guarded)
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
The original fix introduces regressions when extracting certain lbzip2 files
which were created with a buggy libzip2: https://bugs.debian.org/931278
Details on followup: https://sourceware.org/ml/bzip2-devel/2019-q3/msg00007.html
explaining as well why, whilst the issue described by CVE-2019-12900 is definitvely
an issue, it was not exploitable in the first place.
Regression fix: https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13
Clamav: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
clamav uses libbz2 but the "nsis" scanner/decompressor has a decompress.c from bzip2