CVE-2026-42250: bzip2 -> 1.0.8

[jasonodoom]

⚠️ EXPERIMENTAL source-backport — NOT a version bump

This PR authors the upstream fix as an in-tree patch against the current nixpkgs version (no version bump). An agent generated it; a cross-family reviewer verified it transcribes the upstream commit, and a cert proved the bundled reproducer goes red→green. A human maintainer must still confirm sufficiency before merging:

• This applies the COMPLETE upstream fix, not one of several required commits.
• The backported hunk matches the upstream fix commit(s):
  • https://sourceware.org/git/bzip2.git/commit/35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
• Reviewed the cert evidence (reproducer red→green) for CVE-2026-42250.

Opened as a draft deliberately — mark Ready-for-review only after the boxes above are checked.

---

Evidence: CVE-2026-42250 (human-review-required) trace bundle 557f38931ebc9d64

• Rekor entry: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=1796255491
• Workflow identity: https://github.com/Ad-Astra-Computing/trace/.github/workflows/steward.yml@refs/heads/main
• OIDC issuer: https://token.actions.githubusercontent.com
• nixpkgs rev: d73a36d3b64eb068e0304b4d72b5ff3878dc9d65

Verify locally

gh run download <run-id> --name steward-smoke-<bundle> --dir ./artifact
trace bundle verify ./artifact  # bundle_id=557f38931ebc9d64

Generated by trace.