CVE-2023-29419

Vulnerability

An out-of-bounds read vulnerability exists in the bz3_decode_block function within libbzip3.a in bzip3 before version 1.2.3 [1]. The issue occurs in the mrled decoding function, which lacked a bounds check on the input buffer, leading to a heap-buffer-overflow when processing specially crafted compressed data [3]. Affected versions: all prior to 1.2.3.

Exploitation

An attacker can exploit this vulnerability by providing a malicious bzip3 compressed file to the bzip3 -Bcd command or any application using the affected library [1]. No additional authentication is required; the attack vector is network-accessible if the user decodes a malicious file. The crash logs show a memory write operation with controlled size, indicating potential for controlled corruption.

Impact

Successful exploitation can lead to a heap-buffer-overflow, potentially causing a denial of service (crash) or information disclosure through memory read. The vulnerability may also be leveraged for code execution depending on the memory layout, though the references primarily indicate crashes.

Mitigation

The fix is included in version 1.2.3, released on 2023-04-06 [2]. The commit [3] adds a maxin parameter and checks to the mrled function, returning an error on invalid input. Users should upgrade to bzip3 1.2.3 or later. Fedora has also released updates [4]. No known workarounds exist for unpatched versions.