Closed
Bug 480372
Opened 15 years ago
Closed 8 years ago
Upgrade libbz2 (bzip2) to 1.0.6
Categories
(Toolkit :: Application Update, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1280043
People
(Reporter: scarybeasts, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.04 (hardy) Firefox/3.0.5 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.04 (hardy) Firefox/3.0.5 As per bzip2 home page, 1.0.5 fixes known vulnerabilities processing corrupt streams: http://www.bzip.org/ https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html (I'm not entirely clear what data bzip2 is used to process - something relating to updates? Could you clarify the bug with a description of what data exactly flows through bzip2 and when?) Reproducible: Always
Reporter | ||
Comment 1•15 years ago
|
||
To expand on my previous comment - this may not be a vulnerability if e.g. the bz2 data stream is only examined after a cryptographically strong hash or signature has passed.
Comment 2•15 years ago
|
||
Yes, this is not a Mozilla vulnerability: we only use bzip2 for MAR updates which have already been cryptographically verified.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•15 years ago
|
Component: Security → Application Update
Product: Firefox → Toolkit
QA Contact: firefox → application.update
Version: unspecified → Trunk
Comment 3•8 years ago
|
||
> Changelog:
> Version 1.0.6 removes a potential security vulnerability, CVE-2010-0405,
> so all users are recommended to upgrade immediately.
Summary: Upgrade libbz2 (bzip2) to 1.0.5 → Upgrade libbz2 (bzip2) to 1.0.6
Updated•8 years ago
|
URL: http://www.bzip.org/
Comment 4•8 years ago
|
||
duping forward because this is now fixed (dunno why we didn't just use this bug).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•