[Backport staging-25.11] bzip2: patch CVE-2026-42250 (#527234)

pkgs/tools/compression/bzip2/1_1.nix

@@ -50,5 +50,8 @@ stdenv.mkDerivation (finalAttrs: {
     pkgConfigModules = [ "bz2" ];
     platforms = lib.platforms.all;
     maintainers = [ ];
+    knownVulnerabilities = [
+      "CVE-2026-42250"
+    ];
   };
 })

pkgs/tools/compression/bzip2/default.nix

@@ -30,6 +30,9 @@ stdenv.mkDerivation (
     patchFlags = [ "-p0" ];
 
     patches = [
+      # https://sourceware.org/cgit/bzip2/patch/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
+      ./patches/CVE-2026-42250.patch
+
       ./patches/bzip2-1.0.6.2-autoconfiscated.patch
     ];
     # Fix up hardcoded version from the above patch, e.g. seen in bzip2.pc or libbz2.so.1.0.N

pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch

@@ -0,0 +1,34 @@
+From 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 28 May 2026 16:15:45 +0200
+Subject: bzip2recover: Make sure to not process more than
+ BZ_MAX_HANDLED_BLOCKS
+
+There is an off-by-one in the check before calling tooManyBlocks. This
+causes the scanning loop to run one more time and cause a possible
+read or write one past the global bStart, bEnd, rbStart and rbEnd
+buffers. There are no known exploits of this issue and you will need
+to compile with something like gcc -fsanitize=address (ASAN
+AddressSanitizer) to observe the faulty read/write.
+
+This has been assigned CVE-2026-42250.
+---
+ bzip2recover.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git bzip2recover.c bzip2recover.c
+index a8131e0..4b1c219 100644
+--- bzip2recover.c
++++ bzip2recover.c
+@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv )
+             rbEnd[rbCtr] = bEnd[currBlock];
+             rbCtr++;
+          }
+-         if (currBlock >= BZ_MAX_HANDLED_BLOCKS)
++         if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1)
+             tooManyBlocks(BZ_MAX_HANDLED_BLOCKS);
+          currBlock++;
+ 
+-- 
+cgit 
+