bzip2 1.0.7

We are happy to announce the release of bzip2 1.0.7.

This is an emergency release because the old bzip2 website is gone and there were outstanding security issues. The original bzip2 home, downloads and documentation can now be found at: https://sourceware.org/bzip2/

bzip2 1.0.7 contains only the following bug/security fixes:

  • Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH
  • bzip2: Fix return value when combining –test,-t and -q.
  • bzip2recover: Fix buffer overflow for large argv[0]
  • bzip2recover: Fix use after free issue with outFile (CVE-2016-3189)
  • Make sure nSelectors is not out of range (CVE-2019-12900)

A future 1.1.x release is being prepared by Federico Mena Quintero, which will include more fixes, an updated build system and possibly an updated SONAME default.

Please read his blog for more background on this.

NOTE/WARNING: There has been a report that the CVE-2019-12900 fix prevents decompression of some (buggy lbzip2 compressed) files that bzip2 1.0.6 could decompress. See the discussion on the bzip2-devel mailinglist. There is a proposed workaround now.