Closed Bug 480372 Opened 15 years ago Closed 8 years ago

Upgrade libbz2 (bzip2) to 1.0.6

Categories

(Toolkit :: Application Update, defect)

Product:
Toolkit
Component:
Application Update
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1280043

People

(Reporter: scarybeasts, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.04 (hardy) Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.04 (hardy) Firefox/3.0.5

As per bzip2 home page, 1.0.5 fixes known vulnerabilities processing corrupt streams:

http://www.bzip.org/
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html

(I'm not entirely clear what data bzip2 is used to process - something relating to updates? Could you clarify the bug with a description of what data exactly flows through bzip2 and when?)


Reproducible: Always
To expand on my previous comment - this may not be a vulnerability if e.g. the bz2 data stream is only examined after a cryptographically strong hash or signature has passed.
Yes, this is not a Mozilla vulnerability: we only use bzip2 for MAR updates which have already been cryptographically verified.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Security → Application Update
Product: Firefox → Toolkit
QA Contact: firefox → application.update
Version: unspecified → Trunk
> Changelog:
>    Version 1.0.6 removes a potential security vulnerability, CVE-2010-0405,
>    so all users are recommended to upgrade immediately.
Summary: Upgrade libbz2 (bzip2) to 1.0.5 → Upgrade libbz2 (bzip2) to 1.0.6
duping forward because this is now fixed (dunno why we didn't just use this bug).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.