Subject: | CPAN uses Bzipr2 1.0.6 with CVE-2019-12900 |
Date: | Wed, 5 Feb 2020 01:22:01 -0500 |
To: | bug-CPAN [...] rt.cpan.org |
From: | Jeffrey Walton <noloader [...] gmail.com> |
According to the head notes in cpan/Compress-Raw-Bzip2/decompress:
$ cat cpan/Compress-Raw-Bzip2/decompress.c
/*-------------------------------------------------------------*/
/*--- Decompression machinery ---*/
/*--- decompress.c ---*/
/*-------------------------------------------------------------*/
/* ------------------------------------------------------------------
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
bzip2/libbzip2 version 1.0.6 of 6 September 2010
Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
Bzip2 version 1.0.6 has a security defect; see Bzip2 download and
CVE-2019-12900 fix
(https://sourceware.org/ml/bzip2-devel/2019-q2/msg00015.html)? Perl
should update to version 1.0.7 or 1.0.8.
Bzip2's new home is Sourceware website
(https://www.sourceware.org/bzip2/). Seward lost the Bzip2 website to
squatters a couple of years ago.
Also see https://github.com/Perl/perl5/issues/17529 and
https://github.com/Perl/perl5/issues/17528.