{"id":"PYSEC-2020-30","details":"A buffer overflow in the patching routine of bsdiff4 before 1.2.0 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.","aliases":["CVE-2020-15904","GHSA-f8m3-jpxr-hm5x"],"modified":"2024-02-23T20:58:32.098271Z","published":"2020-07-22T23:15:00Z","references":[{"type":"FIX","url":"https://github.com/ilanschnell/bsdiff4/commit/49a4cee2feef7deaf9d89e5e793a8824930284d7"},{"type":"WEB","url":"https://github.com/ilanschnell/bsdiff4/blob/master/CHANGELOG.txt"}],"affected":[{"package":{"name":"bsdiff4","ecosystem":"PyPI","purl":"pkg:pypi/bsdiff4"},"ranges":[{"type":"GIT","repo":"https://github.com/ilanschnell/bsdiff4","events":[{"introduced":"0"},{"fixed":"49a4cee2feef7deaf9d89e5e793a8824930284d7"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.0"}]}],"versions":["1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/bsdiff4/PYSEC-2020-30.yaml"}}],"schema_version":"1.7.3"}