CESA-2005-002 - rev 3 bzip2 decompression bomb vulnerability ====================================== Programs affected: bzip2 and programs which reuse bzip2 (such as the Mac OS/X decompressor) Severity: Decompression bomb leading to DoS Discovered date: May 4th 2005 Vendor notified date: May 4th 2005 Updates being released (issue out of the bag): May 20th 2005 Whilst playing with "random bitflipping" technology, an effective decompression bomb attack against bzip2 was identified. bzip2 can be made to decompress into a file indefinitely when it encounters a suitably corrupt bzip2 archive. Demo bz2 archive: http://scary.beasts.org/misc/bomb.bz2 Important update for rev 2 ========================== This vulnerability and allegedly others are already fixed in v1.0.3. However, the uptake of v1.0.3 has been slow; there does not seem to be an awareness that v1.0.3 fixes security issues. Security updates are required and vendors need to check their codebases for static copies of bzip code. Attack vectors ============== Possible attack vectors include: - Attacks against anti-virus gateways to mount DoS or scan bypass attacks. - Mailing the bomb to a victim to fill their disk, causing a DoS. This will be particularly effective if the victim's mail client or desktop automatically inspect or index the archive. CESA-2005-002 - rev 3 Chris Evans chris@scary.beasts.org