FS#57383 - [p7zip] CVE-2017-17969, CVE-2018-5996
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Monday, 05 February 2018, 15:45 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 05 February 2018, 17:04 GMT
Opened by Pascal Ernster (hardfalcon) - Monday, 05 February 2018, 15:45 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 05 February 2018, 17:04 GMT
|
Details
Original source:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ Sadly, upstream hasn't released a fix yet, but there's a discussion thread in upstream's bugtracker with about half a dozen of different patches for CVE-2017-17969 to choose from: https://sourceforge.net/p/p7zip/bugs/204/ Note that altough all these patches have the same filename "CVE-2017-17969.patch", they do differ quite substantially and were posted by different people. Couldn't find a single patch for CVE-2018-5996, though. Debian and Fedora also seem to have fixed only CVE-2017-17969 so far: https://security-tracker.debian.org/tracker/source-package/p7zip https://src.fedoraproject.org/rpms/p7zip/commits/master Given the fact that upstream hasn't even bothered to release a fixed version for CVE-2016-9296 since July 2016, it should be considered to move this dangerous mess to AUR until it is not abandonware anymore. https://sourceforge.net/p/p7zip/bugs/185/ There seems to be an alternative read-only/decompression-only implementation of the 7z file format in libarchive, which means you can unpack 7z files using the "bsdtar" command. |
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Monday, 05 February 2018, 17:04 GMT
Reason for closing: Fixed
Additional comments about closing: p7zip 16.02-4
Monday, 05 February 2018, 17:04 GMT
Reason for closing: Fixed
Additional comments about closing: p7zip 16.02-4