#4: Bundled code is vulnerable to CVE-2019-12900 :: hub.darcs.net

libbz2 bindings for Haskell

#4Bundled code is vulnerable to CVE-2019-12900

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900

Upstream patch: https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184

Code here: https://hub.darcs.net/vmchale/bz2/browse/cbits/decompress.c#290

maerwald Sat Mar 9 08:31:33 UTC 2024
Patch is here: https://hub.darcs.net/maerwald/bz2/patch/7e90c57b5e81c7ac1fc54f11a5b57c30edf1f0ea
Vanessa McHalde Sat Mar 9 12:53:38 UTC 2024
Thank you! I'll add you as maintainer on Hackage as well.
Vanessa McHalde Sat Mar 9 15:50:16 UTC 2024
- status set to closed
Wait I think bz2 already bundled 1.0.8. So the past few revisions were secure 🤔