Windows: vulnerable bzip2 1.0.6

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

bzip2 is a dependency of CPython, and its 1.0.6 version has the following two vulnerabilities.

CVE-2016-3189: A use-after-free flaw was found in bzip2recover, leading to a null pointer dereference, or a write to a closed file descriptor. An attacker could use this flaw by sending a specially crafted bzip2 file to recover and force the program to crash.

CVE-2019-12900: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

These vulnerabilities are fixed by updating bzip2 to 1.0.8 in Windows builds.

On Linux and macOS, you can fix them by specifying the dynamically link version of bzip2.

Dates:

• Disclosure date: 2021-07-02 (Python issue bpo-44549 reported)

Fixed In

• Python 3.7.13 (2022-03-16) fixed by commit 4a3c610 (branch 3.7) (2022-03-07)
• Python 3.8.13 (2022-03-16) fixed by commit 6649519 (branch 3.8) (2022-03-08)
• Python 3.9.11 (2022-03-16) fixed by commit e1639f3 (branch 3.9) (2022-03-07)
• Python 3.10.3 (2022-03-16) fixed by commit 58d576a (branch 3.10) (2022-03-07)

Python issue

Update Windows installer to use bzip2 1.0.8.

• Python issue: bpo-44549
• Creation date: 2021-07-02
• Reporter: siddhartha shankar mahato

CVE-2016-3189

Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.

• CVE ID: CVE-2016-3189
• Published: 2016-06-30
• CVSS Score: 4.3

CVE-2019-12900

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

• CVE ID: CVE-2019-12900
• Published: 2019-06-19
• CVSS Score: 7.5

Timeline

Timeline using the disclosure date 2021-07-02 as reference:

• 2016-06-30 (-1828 days): CVE-2016-3189 published
• 2019-06-19 (-744 days): CVE-2019-12900 published
• 2021-07-02: Python issue bpo-44549 reported by siddhartha shankar mahato
• 2022-03-07 (+248 days): commit 4a3c610 (branch 3.7)
• 2022-03-07 (+248 days): commit 58d576a (branch 3.10)
• 2022-03-07 (+248 days): commit e1639f3 (branch 3.9)
• 2022-03-08 (+249 days): commit 6649519 (branch 3.8)
• 2022-03-16 (+257 days): Python 3.10.3 released
• 2022-03-16 (+257 days): Python 3.7.13 released
• 2022-03-16 (+257 days): Python 3.8.13 released
• 2022-03-16 (+257 days): Python 3.9.11 released

Links

• https://access.redhat.com/security/cve/cve-2016-3189
• https://access.redhat.com/security/cve/cve-2019-12900
• https://nvd.nist.gov/vuln/detail/CVE-2016-3189/
• https://nvd.nist.gov/vuln/detail/CVE-2019-12900/