CVE-2023-29420

Vulnerability

The vulnerability resides in the bz3_decode_block function in libbzip3.a (specifically in src/libbz3.c). When decompressing a specially crafted archive with the bzip3 -Bcd command, an invalid memmove leads to a heap-buffer-overflow in libsais_unbwt_calculate_biPSI within the libsais.h included library [1]. All versions prior to 1.2.3 are affected [1][2].

Exploitation

An attacker can trigger the vulnerability by providing a malformed bzip3 archive file. No authentication is required; the victim only needs to decompress the file using bzip3 -Bcd (or similar decompression). The fuzzing report indicates that the crash is reproducible with the provided testcases [1]. The exact sequence involves the libsais_unbwt path called from bz3_decode_block at line 680 of src/libbz3.c [1].

Impact

A successful exploit causes a heap-buffer-overflow, resulting in a program crash (denial of service) [1]. The crash is immediate and there is no evidence of code execution or information disclosure in the available references.

Mitigation

The issue is fixed in version 1.2.3 of bzip3 [2]. Users should upgrade to this version or later. Fedora has released package updates [3][4], but the content of those announcements is not accessible via the provided references. If upgrading is not possible, avoid decompressing untrusted bzip3 files as a workaround.