ArchLinux: 201702-19: bzip2: denial of service
Summary
A use-after-free flaw was found in bzip2recover, leading to a null pointer dereference, or a write to a closed file descriptor. An attacker could use this flaw by sending a specially crafted bzip2 file to recover and force the program to crash.
Resolution
Upgrade to 1.0.6-6.
# pacman -Syu "bzip2>=1.0.6-6"
The problem has been fixed upstream but no release is available yet.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1319648 https://security.archlinux.org/CVE-2016-3189
Workaround
None.