CVE-2023-29415 | Vulnerability Database | Aqua Security

An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial of service (process hang) can occur with a crafted archive because bzip3 does not follow the required procedure for interacting with libsais.

Affected Software

Name	Vendor	Start Version	End Version
Bzip3	Bzip3_project	*	1.3.0 (excluding)
Bzip3	Ubuntu	esm-apps/noble	*
Bzip3	Ubuntu	lunar	*
Bzip3	Ubuntu	mantic	*
Bzip3	Ubuntu	noble	*
Bzip3	Ubuntu	upstream	*

References

https://github.com/kspalaiologos/bzip3/compare/1.2.3...1.3.0
https://github.com/kspalaiologos/bzip3/issues/95
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JLSE25SV7K2NB6FTFT4UHJOJUHBHYHY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NA7S7HDUAINOTCSWQZ5LIW756DYY22V2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMLFV2FJK3CM7NJLVPZI5RUAFQZICPWW/
https://security-tracker.debian.org/tracker/CVE-2023-29415
https://github.com/kspalaiologos/bzip3/compare/1.2.3...1.3.0
https://github.com/kspalaiologos/bzip3/issues/95
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JLSE25SV7K2NB6FTFT4UHJOJUHBHYHY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NA7S7HDUAINOTCSWQZ5LIW756DYY22V2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMLFV2FJK3CM7NJLVPZI5RUAFQZICPWW/
https://security-tracker.debian.org/tracker/CVE-2023-29415

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-29415
CWE	https://cwe.mitre.org/data/definitions/.html