CVE-2019-12900

Publication date 19 June 2019

Last updated 24 July 2024

Ubuntu priority

Why this priority?

Cvss 3 Severity Score

Score breakdown

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
bzip2	19.04 disco	Fixed 1.0.6-9ubuntu0.19.04.1
	18.10 cosmic	Fixed 1.0.6-9ubuntu0.18.10.1
	18.04 LTS bionic	Fixed 1.0.6-8.1ubuntu0.2
	16.04 LTS xenial	Fixed 1.0.6-8ubuntu0.2
	14.04 LTS trusty	Fixed 1.0.6-5ubuntu0.1~esm2 Ubuntu Pro
clamav	19.04 disco	Fixed 0.101.4+dfsg-0ubuntu0.19.04.1
	18.04 LTS bionic	Fixed 0.101.4+dfsg-0ubuntu0.18.04.1
	16.04 LTS xenial	Fixed 0.101.4+dfsg-0ubuntu0.16.04.1
	14.04 LTS trusty	Fixed 0.101.4+dfsg-0ubuntu0.14.04.1+esm1 Ubuntu Pro

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes

leosilva

first fix cause a regression see LP: 1834494

alexmurray

clamav has a vendored copy of bzip2 which is used by the nulsft/nsis scanner. only affects clamav versions < 0.101.4

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
bzip2	Upstream: 74de1e2

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-4038-1
bzip2 vulnerabilities
26 June 2019

USN-4038-2
bzip2 vulnerabilities
26 June 2019

USN-4146-1
ClamAV vulnerabilities
2 October 2019

USN-4146-2
ClamAV vulnerabilities
3 October 2019