From 2f092df439722bc95d790d0a2c734e637ff08006 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 31 May 2026 15:34:33 -0700 Subject: [PATCH 1/2] bzip2: patch CVE-2026-42250 (cherry picked from commit a7b6fa34c1c4955920c50349475f41c2581981b8) --- pkgs/tools/compression/bzip2/default.nix | 3 ++ .../bzip2/patches/CVE-2026-42250.patch | 34 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index de15b36aef1c..11d964fd2f06 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -30,6 +30,9 @@ stdenv.mkDerivation ( patchFlags = [ "-p0" ]; patches = [ + # https://sourceware.org/cgit/bzip2/patch/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 + ./patches/CVE-2026-42250.patch + ./patches/bzip2-1.0.6.2-autoconfiscated.patch ]; # Fix up hardcoded version from the above patch, e.g. seen in bzip2.pc or libbz2.so.1.0.N diff --git a/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch new file mode 100644 index 000000000000..db16326cdeb7 --- /dev/null +++ b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch @@ -0,0 +1,34 @@ +From 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 28 May 2026 16:15:45 +0200 +Subject: bzip2recover: Make sure to not process more than + BZ_MAX_HANDLED_BLOCKS + +There is an off-by-one in the check before calling tooManyBlocks. This +causes the scanning loop to run one more time and cause a possible +read or write one past the global bStart, bEnd, rbStart and rbEnd +buffers. There are no known exploits of this issue and you will need +to compile with something like gcc -fsanitize=address (ASAN +AddressSanitizer) to observe the faulty read/write. + +This has been assigned CVE-2026-42250. +--- + bzip2recover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git bzip2recover.c bzip2recover.c +index a8131e0..4b1c219 100644 +--- bzip2recover.c ++++ bzip2recover.c +@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv ) + rbEnd[rbCtr] = bEnd[currBlock]; + rbCtr++; + } +- if (currBlock >= BZ_MAX_HANDLED_BLOCKS) ++ if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1) + tooManyBlocks(BZ_MAX_HANDLED_BLOCKS); + currBlock++; + +-- +cgit + From 9949740ce0d49f0a55b2792143306b661fe6e873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 2 Jun 2026 10:45:38 -0700 Subject: [PATCH 2/2] bzip2_1_1: mark insecure (cherry picked from commit ced25ca9a913c9238668f049d813626393d805e0) --- pkgs/tools/compression/bzip2/1_1.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/tools/compression/bzip2/1_1.nix b/pkgs/tools/compression/bzip2/1_1.nix index d62ad11e3ec4..b61f81480d6b 100644 --- a/pkgs/tools/compression/bzip2/1_1.nix +++ b/pkgs/tools/compression/bzip2/1_1.nix @@ -50,5 +50,8 @@ stdenv.mkDerivation (finalAttrs: { pkgConfigModules = [ "bz2" ]; platforms = lib.platforms.all; maintainers = [ ]; + knownVulnerabilities = [ + "CVE-2026-42250" + ]; }; })