FS#57383 - [p7zip] CVE-2017-17969, CVE-2018-5996

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Monday, 05 February 2018, 15:45 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 05 February 2018, 17:04 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Evangelos Foutras (foutrelis)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Original source:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/

Sadly, upstream hasn't released a fix yet, but there's a discussion thread in upstream's bugtracker with about half a dozen of different patches for CVE-2017-17969 to choose from:
https://sourceforge.net/p/p7zip/bugs/204/

Note that altough all these patches have the same filename "CVE-2017-17969.patch", they do differ quite substantially and were posted by different people.

Couldn't find a single patch for CVE-2018-5996, though. Debian and Fedora also seem to have fixed only CVE-2017-17969 so far:

https://security-tracker.debian.org/tracker/source-package/p7zip
https://src.fedoraproject.org/rpms/p7zip/commits/master

Given the fact that upstream hasn't even bothered to release a fixed version for CVE-2016-9296 since July 2016, it should be considered to move this dangerous mess to AUR until it is not abandonware anymore.
https://sourceforge.net/p/p7zip/bugs/185/

There seems to be an alternative read-only/decompression-only implementation of the 7z file format in libarchive, which means you can unpack 7z files using the "bsdtar" command.
This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Monday, 05 February 2018, 17:04 GMT
Reason for closing:  Fixed
Additional comments about closing:  p7zip 16.02-4

Loading...