CVE-2023-29417 — Out-of-bounds Read in Project Bzip3

CWE-125 — Out-of-bounds Read5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 47.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bzip3 Project Bzip3 Debian Bzip3

Timeline

PublishedApr 6

Description

An issue was discovered in libbzip3.a in bzip3 1.2.2. There is a bz3_decompress out-of-bounds read in certain situations where buffers passed to bzip3 do not contain enough space to be filled with decompressed data. NOTE: the vendor's perspective is that the observed behavior can only occur for a contract violation, and thus the report is invalid.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/bzip3

▶NVDbzip3_project/bzip31.2.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-29417: An issue was discovered in libbzip3↗2023-04-06

▶

OSV

CVE-2023-29417: ** DISPUTED ** An issue was discovered in libbzip3↗2023-04-06

▶

GHSA

GHSA-gprg-q8r6-84hw: ** DISPUTED ** An issue was discovered in libbzip3↗2023-04-06

▶

📋Vendor Advisories

Debian

CVE-2023-29417: bzip3 - An issue was discovered in libbzip3.a in bzip3 1.2.2. There is a bz3_decompress ...↗2023

▶