Updating bzip2 to remove potential security vulnerability

Jerry freebsd.user at seibercom.net
Fri Oct 1 21:27:15 UTC 2010


On Fri, 1 Oct 2010 14:00:16 -0700
Jason <jhelfman at e-e.com> articulated:

> On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
> >On Fri, 1 Oct 2010 12:14:20 -0500
> >Dan Nelson <dnelson at allantgroup.com> articulated:
> >
> >> You must have missed
> >> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
> >> patches for 6, 7, and 8 are available there, and freebsd-update has
> >> fixed binaries if you use that.
> >
> >Never saw it. So I am assuming that simply using something like:
> >
> >csup -L2 -h cvsup.FreeBSD.org
> >"/usr/src/share/examples/cvsup/standard-supfile"
> >
> >Then rebuild Kernel & World is not going to work. Is that correct?
> 
> The update instructions are in the announcement. Here is a snippet
> from it:
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> # fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch.asc
> 
> b) Execute the following commands as root:
> 
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/libbz2
> # make obj && make depend && make && make install
> 
> NOTE: On the amd64 platform, the above procedure will not update the
> lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
> compatibility libraries are used, the operating system should instead
> be recompiled as described in
> <URL:http://www.FreeBSD.org/handbook/makeworld.html>
> 
> 3) To update your vulnerable system via a binary patch:
> 
> Systems running 6.4-RELEASE, 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or
> 8.1-RELEASE on the i386 or amd64 platforms can be updated via the
> freebsd-update(8) utility:
> 
> # freebsd-update fetch
> # freebsd-update install

I all ready read that. If you reread my post, I was inquiring about
simply downloading the source tree and then rebuilding world.

The portion regarding amd64 systems pertains to me. Notice: 

<quote>
On the amd64 platform, the above procedure will not update the
> lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
> compatibility libraries are used, the operating system should instead
> be recompiled as described in
> <URL:http://www.FreeBSD.org/handbook/makeworld.html>
</quote>

Am I to infer that I could simply download the sources and rebuild
world, or do I have to download the patches first? It would appear that
I can simply update the sources and rebuild my kernel & world. Your
post failed to address the question I posed.

-- 
Jerry ✌
FreeBSD.user at seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________



More information about the freebsd-questions mailing list