Fix CVE-2016-3189

bzip2-1.0.6-CVE-2016-3189.patch

@@ -0,0 +1,11 @@
+diff -up ./bzip2recover.c.old ./bzip2recover.c
+--- ./bzip2recover.c.old	2016-03-22 08:49:38.855620000 +0100
++++ ./bzip2recover.c	2016-03-30 10:22:27.341430099 +0200
+@@ -458,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;

bzip2.spec

@@ -7,7 +7,7 @@
 Summary:	Extremely powerful file compression utility
 Name:		bzip2
 Version:	1.0.6
-Release:	11
+Release:	12
 License:	BSD
 Group:		Archiving/Compression
 Url:		http://www.bzip.org/index.html
@@ -16,6 +16,7 @@ Source1:	bzgrep
 Source2:	bzme
 Source3:	bzme.1
 Patch0:		bzip2-1.0.6-makefile.diff
+Patch1:		bzip2-1.0.6-CVE-2016-3189.patch
 BuildRequires:	libtool
 BuildRequires:	texinfo
 %if %{with pdf}
@@ -81,6 +82,7 @@ will use the bzip2 library (aka libz2).
 %prep
 %setup -q
 %patch0 -p1 -b .makefile
+%patch1 -p1 -b .CVE-2016-3189
 
 echo "lib = %{_lib}" >> config.in
 echo "CFLAGS = %{optflags}" >> config.in