{"id":"CVE-2019-12900","details":"BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.","aliases":["HSEC-2024-0002","PSF-2019-4"],"modified":"2026-04-16T04:36:06.781396054Z","published":"2019-06-19T23:15:09.910Z","related":["ALSA-2024:8922","ALSA-2025:0733","ALSA-2025:0925","SUSE-SU-2019:14122-1","SUSE-SU-2019:14139-1","SUSE-SU-2019:14231-1","SUSE-SU-2019:1846-1","SUSE-SU-2019:1955-1","SUSE-SU-2019:2004-1","SUSE-SU-2019:2013-1","SUSE-SU-2019:2013-2","SUSE-SU-2019:3053-1","SUSE-SU-2019:3066-1","SUSE-SU-2020:3729-1","SUSE-SU-2020:3790-1","SUSE-SU-2020:3918-1","openSUSE-SU-2019:1781-1","openSUSE-SU-2019:1918-1","openSUSE-SU-2019:2595-1","openSUSE-SU-2019:2597-1","openSUSE-SU-2020:2268-1","openSUSE-SU-2020:2276-1","openSUSE-SU-2024:10667-1","openSUSE-SU-2024:10685-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E"},{"type":"WEB","url":"https://support.f5.com/csp/article/K68713584?utm_source=f5support&amp%3Butm_medium=RSS"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Jul/22"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4038-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4038-2/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4146-1/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4146-2/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"FIX","url":"https://seclists.org/bugtraq/2019/Aug/4"},{"type":"FIX","url":"https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc"},{"type":"FIX","url":"https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"1bf9cc509326bc42cd8cb1650eb9bf64550d817e"},{"fixed":"000593c0f97ac9b75b56064a957b84a3aaa60674"},{"introduced":"fa919fdf2583bdfead1df00e842f24f30b2a34bf"},{"fixed":"ea673213dd30afd8cacb53927e7d86f6125e86c8"},{"introduced":"9cf6752276e6fcfd0c23fdb064ad27f448aaaf75"},{"fixed":"2de452f8bf2f78417e04bcf7919beb502c53a0e2"},{"introduced":"b494f5935c92951e75597bfe1c8b1f3112fec270"},{"fixed":"a342a49189c16f01e7b95e0bf22ea2bd539222cd"}],"database_specific":{"versions":[{"introduced":"3.7.0"},{"fixed":"3.7.13"},{"introduced":"3.8.0"},{"fixed":"3.8.13"},{"introduced":"3.9.0"},{"fixed":"3.9.11"},{"introduced":"3.10.0"},{"fixed":"3.10.3"}]}},{"type":"GIT","repo":"https://gitlab.com/federicomenaquintero/bzip2","events":[{"introduced":"0"},{"fixed":"74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc"}]}],"database_specific":{"vanir_signatures_modified":"2026-04-11T08:55:51Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p10"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p11"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p12"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p4"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p5"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p6"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p7"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p8"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-p9"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3-p1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p5"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p7"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0-p8"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12900.json","vanir_signatures":[{"source":"https://gitlab.com/federicomenaquintero/bzip2@74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2019-12900-85543407","digest":{"threshold":0.9,"line_hashes":["193662908927078745708702042109529205902","16813243021549239572194252372936960661","154544188480167473863108834568414589177","294592855379212741126804546922529497937"]},"target":{"file":"decompress.c"}},{"source":"https://gitlab.com/federicomenaquintero/bzip2@74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2019-12900-fedadc1c","digest":{"function_hash":"188338681100398363911181230312621404683","length":13498},"target":{"function":"BZ2_decompress","file":"decompress.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}