-
Notifications
You must be signed in to change notification settings - Fork 15
/
HSEC-2024-0002.json
1 lines (1 loc) · 1.83 KB
/
HSEC-2024-0002.json
1
{"affected":[{"package":{"ecosystem":"Hackage","name":"bzlib"},"ranges":[{"events":[{"introduced":"0.4"},{"fixed":"0.5.2.0"}],"type":"ECOSYSTEM"}],"severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"}]},{"package":{"ecosystem":"Hackage","name":"bz2"},"ranges":[{"events":[{"introduced":"0.1.0.0"},{"fixed":"1.0.1.1"}],"type":"ECOSYSTEM"}],"severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"}]},{"package":{"ecosystem":"Hackage","name":"bzlib-conduit"},"ranges":[{"events":[{"introduced":"0.1.0.0"},{"fixed":"0.3.0.3"}],"type":"ECOSYSTEM"}],"severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"}]}],"aliases":["CVE-2019-12900"],"details":"# out-of-bounds write when there are many bzip2 selectors\n\nA malicious bzip2 payload may produce a memory corruption\nresulting in a denial of service and/or remote code execution.\nNetwork services or command line utilities decompressing\nuntrusted bzip2 payloads are affected.\n\nNote that the exploitation of this bug relies on an undefined\nbehavior that appears to be handled safely by current compilers.\n\nThe Haskell libraires are vulnerable when they are built using\nthe bundled C library source code, which is the default\nin most cases.\n","id":"HSEC-2024-0002","modified":"2024-03-11T12:26:51Z","published":"2024-03-11T12:26:51Z","references":[{"type":"DISCUSSION","url":"https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/"},{"type":"DISCUSSION","url":"http://scary.beasts.org/security/CESA-2008-005.html"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/cve-2019-12900"},{"type":"FIX","url":"https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184"}],"schema_version":"1.5.0","summary":"out-of-bounds write when there are many bzip2 selectors"}