Unrated severityNVD Advisory· Published Jun 19, 2019· Updated Jun 9, 2025

CVE-2019-12900

Description

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Affected products

bzip2/bzip2description
osv-coords61 versions
pkg:hackage/bz2 pkg:hackage/bzlib pkg:hackage/bzlib-conduit pkg:rpm/almalinux/bzip2 pkg:rpm/almalinux/bzip2-devel pkg:rpm/almalinux/bzip2-libs pkg:rpm/opensuse/bzip2&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/bzip2&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/bzip2&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/clamav&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/clamav&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/clamav&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/clamav&distro=openSUSE%20Tumbleweed pkg:rpm/suse/bzip2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/bzip2&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/bzip2&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/bzip2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4 pkg:rpm/suse/bzip2&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/bzip2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/bzip2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/clamav&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/clamav&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/clamav&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/clamav&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/clamav&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/clamav&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/clamav&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 0.1.0.0, < 1.0.1.1+ 60 more
- (no CPE)range: >= 0.1.0.0, < 1.0.1.1
- (no CPE)range: >= 0.4, < 0.5.2.0
- (no CPE)range: >= 0.1.0.0, < 0.3.0.3
- (no CPE)range: < 1.0.6-27.el8_10
- (no CPE)range: < 1.0.6-27.el8_10
- (no CPE)range: < 1.0.6-27.el8_10
- (no CPE)range: < 1.0.6-lp151.5.6.1
- (no CPE)range: < 1.0.6-lp151.5.6.1
- (no CPE)range: < 1.0.8-3.2
- (no CPE)range: < 0.100.3-lp150.2.13.1
- (no CPE)range: < 0.100.3-lp151.2.3.1
- (no CPE)range: < 0.103.0-lp152.6.3.1
- (no CPE)range: < 0.103.3-1.4
- (no CPE)range: < 1.0.6-30.8.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-5.6.1
- (no CPE)range: < 1.0.6-5.6.1
- (no CPE)range: < 1.0.5-34.256.5.1
- (no CPE)range: < 1.0.5-34.256.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.8.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.5.1
- (no CPE)range: < 1.0.6-30.8.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-3.14.1
- (no CPE)range: < 0.100.3-3.14.1
- (no CPE)range: < 0.103.0-3.23.1
- (no CPE)range: < 0.100.3-0.20.26.1
- (no CPE)range: < 0.100.3-0.20.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.103.0-33.32.1
- (no CPE)range: < 0.103.0-3.3.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.103.0-3.3.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.103.0-33.32.1
- (no CPE)range: < 0.100.3-33.26.1
- (no CPE)range: < 0.103.0-33.32.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.htmlmitrevendor-advisoryx_refsource_SUSE
security.freebsd.org/advisories/FreeBSD-SA-19:18.bzip2.ascmitrevendor-advisoryx_refsource_FREEBSD
usn.ubuntu.com/4038-1/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/4038-2/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/4146-1/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/4146-2/mitrevendor-advisoryx_refsource_UBUNTU
packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.htmlmitrex_refsource_MISC
packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.htmlmitrex_refsource_MISC
gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbcmitrex_refsource_MISC
lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3Emitremailing-listx_refsource_MLIST
lists.debian.org/debian-lts-announce/2019/06/msg00021.htmlmitremailing-listx_refsource_MLIST
lists.debian.org/debian-lts-announce/2019/07/msg00014.htmlmitremailing-listx_refsource_MLIST
lists.debian.org/debian-lts-announce/2019/10/msg00012.htmlmitremailing-listx_refsource_MLIST
lists.debian.org/debian-lts-announce/2019/10/msg00018.htmlmitremailing-listx_refsource_MLIST
seclists.org/bugtraq/2019/Aug/4mitremailing-listx_refsource_BUGTRAQ
seclists.org/bugtraq/2019/Jul/22mitremailing-listx_refsource_BUGTRAQ
support.f5.com/csp/article/K68713584mitrex_refsource_CONFIRM
www.oracle.com/security-alerts/cpuoct2020.htmlmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000