Problem Description:
The decompressor used in bzip2 contains a bug which can
lead to an out-of-bounds write when processing a specially
crafted bzip2(1) file.
bzip2recover contains a heap use-after-free bug which
can be triggered when processing a specially crafted bzip2(1)
file.
Impact:
An attacker who can cause maliciously crafted input to
be processed may trigger either of these bugs. The bzip2recover
bug may cause a crash, permitting a denial-of-service. The
bzip2 decompressor bug could potentially be exploited to
execute arbitrary code.
Note that some utilities, including the tar(1) archiver
and the bspatch(1) binary patching utility (used in portsnap(8)
and freebsd-update(8)) decompress bzip2(1)-compressed data
internally; system administrators should assume that their
systems will at some point decompress bzip2(1)-compressed
data even if they never explicitly invoke the bunzip2(1)
utility.