From d729ef50f5efb20fa7a2032bae462c69eacb5c55 Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Fri, 8 Mar 2024 09:18:56 -0500 Subject: [PATCH 1/2] Add HSEC-2024-0002 --- advisories/hackage/bz2/HSEC-2024-0002.md | 1 + .../hackage/bzlib-conduit/HSEC-2024-0002.md | 1 + advisories/hackage/bzlib/HSEC-2024-0002.md | 61 +++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 120000 advisories/hackage/bz2/HSEC-2024-0002.md create mode 120000 advisories/hackage/bzlib-conduit/HSEC-2024-0002.md create mode 100644 advisories/hackage/bzlib/HSEC-2024-0002.md diff --git a/advisories/hackage/bz2/HSEC-2024-0002.md b/advisories/hackage/bz2/HSEC-2024-0002.md new file mode 120000 index 00000000..cb2989c5 --- /dev/null +++ b/advisories/hackage/bz2/HSEC-2024-0002.md @@ -0,0 +1 @@ +../bzlib/HSEC-2024-0002.md \ No newline at end of file diff --git a/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md new file mode 120000 index 00000000..cb2989c5 --- /dev/null +++ b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md @@ -0,0 +1 @@ +../bzlib/HSEC-2024-0002.md \ No newline at end of file diff --git a/advisories/hackage/bzlib/HSEC-2024-0002.md b/advisories/hackage/bzlib/HSEC-2024-0002.md new file mode 100644 index 00000000..d9e49d1f --- /dev/null +++ b/advisories/hackage/bzlib/HSEC-2024-0002.md @@ -0,0 +1,61 @@ +```toml +[advisory] +id = "HSEC-2024-0002" +cwe = [787] +keywords = ["corruption", "vendored-code", "language-c"] +aliases = ["CVE-2019-12900"] + +[[references]] +type = "DISCUSSION" +url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/" + +[[references]] +type = "DISCUSSION" +url = "http://scary.beasts.org/security/CESA-2008-005.html" + +[[references]] +type = "ADVISORY" +url = "https://access.redhat.com/security/cve/cve-2019-12900" + +[[references]] +type = "FIX" +url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184" + +[[affected]] +package = "bzlib" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.4" +fixed = "0.5.2.0" + +[[affected]] +package = "bz2" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "1.0.1.1" + +[[affected]] +package = "bzlib-conduit" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "0.3.0.3" +``` + +# out-of-bounds write when there are many bzip2 selectors + +A malicious bzip2 payload may produce a memory corruption +resulting in a denial of service and/or remote code execution. +Network services or command line utilities decompressing +untrusted bzip2 payloads are affected. + +Note that the exploitation of this bug relies on an undefined +behavior that appears to be handled safely by current compilers. + +The Haskell libraires are vulnerable when they are built using +the bundled C library source code, which is the default +in most cases. From eeb1f884740c0d539d48bbfca71426ff587de71b Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Sat, 9 Mar 2024 09:55:20 -0500 Subject: [PATCH 2/2] cvss: add new test case --- code/cvss/test/Spec.hs | 1 + 1 file changed, 1 insertion(+) diff --git a/code/cvss/test/Spec.hs b/code/cvss/test/Spec.hs index dd17033e..5faccf73 100644 --- a/code/cvss/test/Spec.hs +++ b/code/cvss/test/Spec.hs @@ -27,6 +27,7 @@ examples = , ("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 6.1, CVSS.Medium) , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium) , ("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low) + , ("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 4.0, CVSS.Medium) , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", 9.9, CVSS.Critical) , ("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", 4.2, CVSS.Medium) , ("CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", 7.8, CVSS.High)