Bug #131687 for CPAN: CPAN uses Bzipr2 1.0.6 with CVE-2019-12900

Wed Feb 05 01:23:32 2020 noloader [...] gmail.com - Ticket created

Subject:	CPAN uses Bzipr2 1.0.6 with CVE-2019-12900
Date:	Wed, 5 Feb 2020 01:22:01 -0500
To:	bug-CPAN [...] rt.cpan.org
From:	Jeffrey Walton <noloader [...] gmail.com>

According to the head notes in cpan/Compress-Raw-Bzip2/decompress: $ cat cpan/Compress-Raw-Bzip2/decompress.c /*-------------------------------------------------------------*/ /*--- Decompression machinery ---*/ /*--- decompress.c ---*/ /*-------------------------------------------------------------*/ /* ------------------------------------------------------------------ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. bzip2/libbzip2 version 1.0.6 of 6 September 2010 Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> Bzip2 version 1.0.6 has a security defect; see Bzip2 download and CVE-2019-12900 fix (https://sourceware.org/ml/bzip2-devel/2019-q2/msg00015.html)? Perl should update to version 1.0.7 or 1.0.8. Bzip2's new home is Sourceware website (https://www.sourceware.org/bzip2/). Seward lost the Bzip2 website to squatters a couple of years ago. Also see https://github.com/Perl/perl5/issues/17529 and https://github.com/Perl/perl5/issues/17528.

Wed Feb 05 03:57:32 2020 haarg [...] haarg.org - Correspondence added

This has already been fixed. Version 2.088, released 31 October 2019, upgraded the bzip2 library to 1.0.8. It was also filed on the wrong queue. This is the queue for the CPAN distribution, but it should be filed on the Compress-Raw-Bzip2 queue.

Wed Feb 05 03:57:33 2020 The RT System itself - Status changed from 'new' to 'open'

Wed Feb 05 04:06:23 2020 noloader [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #131687] CPAN uses Bzipr2 1.0.6 with CVE-2019-12900
Date:	Wed, 5 Feb 2020 04:06:04 -0500
To:	bug-CPAN [...] rt.cpan.org
From:	Jeffrey Walton <noloader [...] gmail.com>

On Wed, Feb 5, 2020 at 3:57 AM Graham Knop via RT <bug-CPAN@rt.cpan.org> wrote: Show quoted text

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=131687 > > > This has already been fixed. Version 2.088, released 31 October 2019, upgraded the bzip2 library to 1.0.8. It was also filed on the wrong queue. This is the queue for the CPAN distribution, but it should be filed on the Compress-Raw-Bzip2 queue.

Thanks Graham. I'm building Perl 5.30.1 from sources. What do I do to get the updated version of the tool? Is there anything I can do, or do I have to wait for the next Perl release? Forgive my ignorance. I don't use Perl. I'm working with OpenSSL 1.1.x. OpenSSL needs a semi-modern Perl, so I had to build Perl from sources on older machines. Jeff

Thu Feb 06 03:38:55 2020 pmqs [...] cpan.org - Correspondence added

On Wed Feb 05 04:06:23 2020, noloader@gmail.com wrote: Show quoted text

> On Wed, Feb 5, 2020 at 3:57 AM Graham Knop via RT <bug- > CPAN@rt.cpan.org> wrote:

> > > > <URL: https://rt.cpan.org/Ticket/Display.html?id=131687 > > > > > This has already been fixed. Version 2.088, released 31 October > > 2019, upgraded the bzip2 library to 1.0.8. It was also filed on the > > wrong queue. This is the queue for the CPAN distribution, but it > > should be filed on the Compress-Raw-Bzip2 queue.

> > Thanks Graham. > > I'm building Perl 5.30.1 from sources. What do I do to get the updated > version of the tool? Is there anything I can do, or do I have to wait > for the next Perl release?

You can just install the latest version of the module. The perl distribution comes with a script called cpan. Just run it his using the same account you used to build & install perl. cpan Compress::Raw::Bzip2 Alternatively, download the module source from https://cpan.metacpan.org/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.093.tar.gz Unpack the tar.gz file, cd into the new directory & run perl Makefile.PL make test make install