Vulnerability Details CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 79.3%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://usn.ubuntu.com/4146-1/
- https://usn.ubuntu.com/4146-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://usn.ubuntu.com/4146-1/
- https://usn.ubuntu.com/4146-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html
Products affected by CVE-2019-12900
-
cpe:2.3:a:bzip:bzip2:0.1
-
cpe:2.3:a:bzip:bzip2:0.15
-
cpe:2.3:a:bzip:bzip2:0.21
-
cpe:2.3:a:bzip:bzip2:1.0.1
-
cpe:2.3:a:bzip:bzip2:1.0.2
-
cpe:2.3:a:bzip:bzip2:1.0.3
-
cpe:2.3:a:bzip:bzip2:1.0.4
-
cpe:2.3:a:bzip:bzip2:1.0.5
-
cpe:2.3:a:bzip:bzip2:1.0.6
-
cpe:2.3:a:python:python:3.10.0
-
cpe:2.3:a:python:python:3.10.1
-
cpe:2.3:a:python:python:3.10.2
-
cpe:2.3:a:python:python:3.7.0
-
cpe:2.3:a:python:python:3.7.1
-
cpe:2.3:a:python:python:3.7.10
-
cpe:2.3:a:python:python:3.7.11
-
cpe:2.3:a:python:python:3.7.12
-
cpe:2.3:a:python:python:3.7.2
-
cpe:2.3:a:python:python:3.7.3
-
cpe:2.3:a:python:python:3.7.4
-
cpe:2.3:a:python:python:3.7.5
-
cpe:2.3:a:python:python:3.7.6
-
cpe:2.3:a:python:python:3.7.7
-
cpe:2.3:a:python:python:3.7.8
-
cpe:2.3:a:python:python:3.7.9
-
cpe:2.3:a:python:python:3.8.0
-
cpe:2.3:a:python:python:3.8.0b1
-
cpe:2.3:a:python:python:3.8.1
-
cpe:2.3:a:python:python:3.8.10
-
cpe:2.3:a:python:python:3.8.11
-
cpe:2.3:a:python:python:3.8.12
-
cpe:2.3:a:python:python:3.8.2
-
cpe:2.3:a:python:python:3.8.3
-
cpe:2.3:a:python:python:3.8.4
-
cpe:2.3:a:python:python:3.8.5
-
cpe:2.3:a:python:python:3.8.6
-
cpe:2.3:a:python:python:3.8.7
-
cpe:2.3:a:python:python:3.8.8
-
cpe:2.3:a:python:python:3.8.9
-
cpe:2.3:a:python:python:3.9.0
-
cpe:2.3:a:python:python:3.9.1
-
cpe:2.3:a:python:python:3.9.10
-
cpe:2.3:a:python:python:3.9.2
-
cpe:2.3:a:python:python:3.9.3
-
cpe:2.3:a:python:python:3.9.4
-
cpe:2.3:a:python:python:3.9.5
-
cpe:2.3:a:python:python:3.9.6
-
cpe:2.3:a:python:python:3.9.7
-
cpe:2.3:a:python:python:3.9.8
-
cpe:2.3:a:python:python:3.9.9
-
cpe:2.3:o:canonical:ubuntu_linux:12.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:19.04
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:freebsd:freebsd:11.2
-
cpe:2.3:o:freebsd:freebsd:11.3
-
cpe:2.3:o:freebsd:freebsd:12.0
-
cpe:2.3:o:opensuse:leap:15.0
-
cpe:2.3:o:opensuse:leap:15.1