CVE-2019-12900
CRITICALbzip2 < 1.0.6 - Out-of-bounds Write in BZ2_decompress
Title source: llmDescription
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
References (23)
Core 23
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4038-2/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4038-1/
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Jul/22
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html
Patch, Third Party Advisory vendor-advisory
x_refsource_freebsd
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Aug/4
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4146-1/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4146-2/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
Patch, Vendor Advisory x_refsource_misc
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0111
EPSS Percentile
78.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-787
Status
published
Products (13)
bzip/bzip2
< 1.0.6
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
debian/debian_linux
8.0
freebsd/freebsd
11.2 (13 CPE variants)
freebsd/freebsd
11.3 (2 CPE variants)
freebsd/freebsd
12.0 (9 CPE variants)
... and 3 more
Published
Jun 19, 2019
Tracked Since
Feb 18, 2026