Windows: vulnerable bzip2 1.0.6

bzip2 is a dependency of CPython, and its 1.0.6 version has the following two vulnerabilities.

CVE-2016-3189: A use-after-free flaw was found in bzip2recover, leading to a null pointer dereference, or a write to a closed file descriptor. An attacker could use this flaw by sending a specially crafted bzip2 file to recover and force the program to crash.

CVE-2019-12900: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

These vulnerabilities are fixed by updating bzip2 to 1.0.8 in Windows builds.

On Linux and macOS, you can fix them by specifying the dynamically link version of bzip2.

Dates:

  • Disclosure date: 2021-07-02 (Python issue bpo-44549 reported)

Fixed In

Python issue

Update Windows installer to use bzip2 1.0.8.

  • Python issue: bpo-44549
  • Creation date: 2021-07-02
  • Reporter: siddhartha shankar mahato

CVE-2016-3189

Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.

CVE-2019-12900

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Timeline

Timeline using the disclosure date 2021-07-02 as reference: