hsec-2024-0002
Vulnerability from osv_haskell
Published
2025-11-14 14:45
Modified
2025-11-14 14:45
Summary
out-of-bounds write when there are many bzip2 selectors
Details

out-of-bounds write when there are many bzip2 selectors

A malicious bzip2 payload may produce a memory corruption resulting in a denial of service and/or remote code execution. Network services or command line utilities decompressing untrusted bzip2 payloads are affected.

Note that the exploitation of this bug relies on an undefined behavior that appears to be handled safely by current compilers.

The Haskell libraires are vulnerable when they are built using the bundled C library source code, which is the default in most cases.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0002.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0002.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "bzlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4"
            },
            {
              "fixed": "0.5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    },
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0002.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0002.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "bz2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0.0"
            },
            {
              "fixed": "1.0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    },
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0002.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0002.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "bzlib-conduit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0.0"
            },
            {
              "fixed": "0.3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-12900"
  ],
  "database_specific": {
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
  },
  "details": "# out-of-bounds write when there are many bzip2 selectors\n\nA malicious bzip2 payload may produce a memory corruption\nresulting in a denial of service and/or remote code execution.\nNetwork services or command line utilities decompressing\nuntrusted bzip2 payloads are affected.\n\nNote that the exploitation of this bug relies on an undefined\nbehavior that appears to be handled safely by current compilers.\n\nThe Haskell libraires are vulnerable when they are built using\nthe bundled C library source code, which is the default\nin most cases.\n",
  "id": "HSEC-2024-0002",
  "modified": "2025-11-14T14:45:34Z",
  "published": "2025-11-14T14:45:34Z",
  "references": [
    {
      "type": "DISCUSSION",
      "url": "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/"
    },
    {
      "type": "DISCUSSION",
      "url": "http://scary.beasts.org/security/CESA-2008-005.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/cve-2019-12900"
    },
    {
      "type": "FIX",
      "url": "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "out-of-bounds write when there are many bzip2 selectors"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.