Updating bzip2 to remove potential security vulnerability

Jerry freebsd.user at seibercom.net
Fri Oct 1 21:49:34 UTC 2010


On Fri, 1 Oct 2010 22:23:16 +0100
Bruce Cran <bruce at cran.org.uk> articulated:

> On Fri, 1 Oct 2010 14:00:16 -0700
> Jason <jhelfman at e-e.com> wrote:
> 
> > On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
> > >On Fri, 1 Oct 2010 12:14:20 -0500
> > >Dan Nelson <dnelson at allantgroup.com> articulated:
> > >
> > >> You must have missed
> > >> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
> > >> patches for 6, 7, and 8 are available there, and freebsd-update
> > >> has fixed binaries if you use that.
> > >
> > >Never saw it. So I am assuming that simply using something like:
> > >
> > >csup -L2 -h cvsup.FreeBSD.org
> > >"/usr/src/share/examples/cvsup/standard-supfile"
> > >
> > >Then rebuild Kernel & World is not going to work. Is that correct?
> > 
> > The update instructions are in the announcement. Here is a snippet
> > from it:
> 
> Or yes, you can just update to the latest sources via csup - it's been
> fixed in all supported security branches as well as HEAD (see
> http://svn.freebsd.org/viewvc/base/releng/8.1/UPDATING?view=log for
> example).

OK, I just updated my sources; however, this notation from the UPDATING
file does NOT appear in the UPDATING file on my machine:

20100920:	p1	FreeBSD-SA-10:08.bzip2
	Fix an integer overflow in RLE length parsing when decompressing
	corrupt bzip2 data.

I am using this as the tag, which is probably incorrect.

default release=cvs tag=RELENG_8

This is the stock standard-supfile. The stock stable-supfile has the
same tag.

-- 
Jerry ✌
FreeBSD.user at seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________



More information about the freebsd-questions mailing list