BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
{
"unresolved_ranges": [
{
"source": "CPE_RANGE",
"vendor_product": "bzip:bzip2",
"cpes": [
"cpe:2.3:a:bzip:bzip2:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "1.0.6"
}
]
},
{
"source": "CPE_RANGE",
"vendor_product": "python:python",
"cpes": [
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.13"
},
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.13"
},
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.11"
},
{
"introduced": "3.10.0"
},
{
"fixed": "3.10.3"
}
]
},
{
"source": "CPE_STRING",
"vendor_product": "canonical:ubuntu_linux",
"cpes": [
"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:*:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "12.04"
},
{
"last_affected": "12.04"
},
{
"introduced": "14.04"
},
{
"last_affected": "14.04"
},
{
"introduced": "16.04"
},
{
"last_affected": "16.04"
},
{
"introduced": "18.04"
},
{
"last_affected": "18.04"
},
{
"introduced": "19.04"
},
{
"last_affected": "19.04"
}
]
},
{
"source": "CPE_STRING",
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.0"
},
{
"last_affected": "8.0"
}
]
},
{
"source": "CPE_STRING",
"vendor_product": "freebsd:freebsd",
"cpes": [
"cpe:2.3:o:freebsd:freebsd:11.2:-:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p10:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p11:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p12:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p2:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p3:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p4:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p5:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p6:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p7:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p8:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:p9:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.2:rc3:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.3:-:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:11.3:p1:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:-:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p1:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p2:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p3:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p4:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p5:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p6:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p7:*:*:*:*:*:*",
"cpe:2.3:o:freebsd:freebsd:12.0:p8:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "11.2-NA"
},
{
"last_affected": "11.2-NA"
},
{
"introduced": "11.2-p10"
},
{
"last_affected": "11.2-p10"
},
{
"introduced": "11.2-p11"
},
{
"last_affected": "11.2-p11"
},
{
"introduced": "11.2-p12"
},
{
"last_affected": "11.2-p12"
},
{
"introduced": "11.2-p2"
},
{
"last_affected": "11.2-p2"
},
{
"introduced": "11.2-p3"
},
{
"last_affected": "11.2-p3"
},
{
"introduced": "11.2-p4"
},
{
"last_affected": "11.2-p4"
},
{
"introduced": "11.2-p5"
},
{
"last_affected": "11.2-p5"
},
{
"introduced": "11.2-p6"
},
{
"last_affected": "11.2-p6"
},
{
"introduced": "11.2-p7"
},
{
"last_affected": "11.2-p7"
},
{
"introduced": "11.2-p8"
},
{
"last_affected": "11.2-p8"
},
{
"introduced": "11.2-p9"
},
{
"last_affected": "11.2-p9"
},
{
"introduced": "11.2-rc3"
},
{
"last_affected": "11.2-rc3"
},
{
"introduced": "11.3-NA"
},
{
"last_affected": "11.3-NA"
},
{
"introduced": "11.3-p1"
},
{
"last_affected": "11.3-p1"
},
{
"introduced": "12.0-NA"
},
{
"last_affected": "12.0-NA"
},
{
"introduced": "12.0-p1"
},
{
"last_affected": "12.0-p1"
},
{
"introduced": "12.0-p2"
},
{
"last_affected": "12.0-p2"
},
{
"introduced": "12.0-p3"
},
{
"last_affected": "12.0-p3"
},
{
"introduced": "12.0-p4"
},
{
"last_affected": "12.0-p4"
},
{
"introduced": "12.0-p5"
},
{
"last_affected": "12.0-p5"
},
{
"introduced": "12.0-p6"
},
{
"last_affected": "12.0-p6"
},
{
"introduced": "12.0-p7"
},
{
"last_affected": "12.0-p7"
},
{
"introduced": "12.0-p8"
},
{
"last_affected": "12.0-p8"
}
]
},
{
"source": "CPE_STRING",
"vendor_product": "opensuse:leap",
"cpes": [
"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "15.0"
},
{
"last_affected": "15.0"
},
{
"introduced": "15.1"
},
{
"last_affected": "15.1"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"introduced": "bzip2"
},
{
"fixed": "1.0.6"
}
]
}
]
}[
{
"id": "CVE-2019-12900-85543407",
"digest": {
"line_hashes": [
"193662908927078745708702042109529205902",
"16813243021549239572194252372936960661",
"154544188480167473863108834568414589177",
"294592855379212741126804546922529497937"
],
"threshold": 0.9
},
"target": {
"file": "decompress.c"
},
"signature_version": "v1",
"source": "https://gitlab.com/federicomenaquintero/bzip2@74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2019-12900-fedadc1c",
"digest": {
"length": 13498.0,
"function_hash": "188338681100398363911181230312621404683"
},
"target": {
"function": "BZ2_decompress",
"file": "decompress.c"
},
"signature_version": "v1",
"source": "https://gitlab.com/federicomenaquintero/bzip2@74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc",
"deprecated": false,
"signature_type": "Function"
}
]
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12900.json"
"2026-07-11T17:51:08Z"