CVE-2023-29421

Vulnerability

A heap-based buffer overflow write exists in bz3_decode_block() in libbzip3.a before version 1.2.3. The flaw occurs when decompressing specially crafted compressed data, resulting in a WRITE of size 3275521 bytes beyond the allocated heap buffer. The bug is triggered during the decoding phase of the bzip3 algorithm, specifically at line 709 in src/libbz3.c. All versions from the initial release up to 1.2.2 are affected. [1][2]

Exploitation

An attacker needs to provide a maliciously crafted compressed archive to a process using the bzip3 library for decompression. No special network position or authentication is required beyond the ability to deliver the crafted file (e.g., via a download, email attachment, or file upload). The attack triggers an out-of-bounds write in bz3_decode_block() when memcpy copies a large block into an undersized buffer. No user interaction beyond opening or processing the file is necessary. [2]

Impact

Successful exploitation leads to heap memory corruption, which can cause a crash (denial of service) and, depending on heap layout and attacker control, could be leveraged for arbitrary code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating remote code execution potential with low attack complexity and no privileges required. [1][2]

Mitigation

The issue is fixed in bzip3 version 1.2.3, released on 2023-04-06. Users must upgrade to 1.2.3 or later. No workaround is available for earlier versions. Fedora Linux package updates were issued on 2023-05-06 and 2023-05-07 (see references [3] and [4]). The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing. [1][3][4]