CVE-2023-29417

NameCVE-2023-29417
DescriptionAn issue was discovered in libbzip3.a in bzip3 1.2.2. There is a bz3_decompress out-of-bounds read in certain situations where buffers passed to bzip3 do not contain enough space to be filled with decompressed data. NOTE: the vendor's perspective is that the observed behavior can only occur for a contract violation, and thus the report is invalid.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bzip3 (PTS)bookworm1.2.2-2vulnerable
sid, trixie1.4.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bzip3source(unstable)(unfixed)unimportant

Notes

https://github.com/kspalaiologos/bzip3/issues/97
Issue between library and example code not correctly using the API

Search for package or bug name: Reporting problems