FS#64002 : [p7zip] Weak Encryption issue

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#64002 - [p7zip] Weak Encryption issue

Attached to Project: Arch Linux
Opened by Varrel Bauer (Varrel1337) - Thursday, 03 October 2019, 17:29 GMT
Last edited by Evangelos Foutras (foutrelis) - Tuesday, 12 April 2022, 04:09 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Evangelos Foutras (foutrelis) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 anpfeff (anpfeff) (2020-03-20) leazar (leazar) (2019-11-19)
Private	No

Details

Description:

Version 19.00 of 7zip has fixed some issues with the 7z encryption
https://www.7-zip.org/history.txt

Before this fix (among other things) only 8 bytes were used for initialization, which is a violation of the AES standard.

Reported here
https://twitter.com/3lbios/status/1087848040583626753

Bugreport
https://sourceforge.net/p/sevenzip/bugs/2176/

The bugreport contains a link to the collected fixes
https://github.com/aonez/Keka/files/2940620/15-Enhanced-encryption-strength.patch.zip

Please consider creating adding a patch for this, as the encryption used in 7z is not reliable without it.

There is no CVE I know of for this issue.

Additional info:
* package version(s) 16.02-5
https://sourceforge.net/p/sevenzip/bugs/2176/

This task depends upon

Closed by Evangelos Foutras (foutrelis)
Tuesday, 12 April 2022, 04:09 GMT
Reason for closing: Fixed
Additional comments about closing: p7zip 1:17.04-1 (https://github.com/jinfeihan57/p7zip/co mmit/6106df26ff64)

Comments (3)
Related Tasks (0/0)

Comment by Eli Schwartz (eschwartz) - Thursday, 03 October 2019, 20:09 GMT

Field changed: Status (Unconfirmed → Assigned)
Field changed: Category (Packages: Extra → Security)
Field changed: Severity (Low → High)
Task assigned to Levente Polyak (anthraxx), Evangelos Foutras (foutrelis)

Interesting security bug, not sure what to do though. Is upstream planning on porting the new version???

Is p7zip dead software that should never be used for security because it is a joke due to tar, gz, xz, zstd, etc. existing, and when gpg does much more stable encryption by people who don't consider security to actually be literally a joke?

Comment by Varrel Bauer (Varrel1337) - Friday, 04 October 2019, 14:18 GMT

There are only irregular p7zip updates release by upstream.

While I agree that gpg would be a better option, 7z is a common format for exchanging encrypted archives between different operating systems.

Comment by leazar (leazar) - Tuesday, 19 November 2019, 16:06 GMT

There's a patch (found in the p7zip issue tracker for #2176) to use the updated code from 19.00 in p7zip 16.02 at https://github.com/aonez/Keka/files/2940620/15-Enhanced-encryption-strength.patch.zip

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Arch Linux

FS#64002 - [p7zip] Weak Encryption issue

Details

Loading...