Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#64002 - [p7zip] Weak Encryption issue

Attached to Project: Arch Linux
Opened by Varrel Bauer (Varrel1337) - Thursday, 03 October 2019, 17:29 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 03 October 2019, 20:09 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Evangelos Foutras (foutrelis)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 2
Private No

Details

Description:

Version 19.00 of 7zip has fixed some issues with the 7z encryption
https://www.7-zip.org/history.txt

Before this fix (among other things) only 8 bytes were used for initialization, which is a violation of the AES standard.

Reported here
https://twitter.com/3lbios/status/1087848040583626753

Bugreport
https://sourceforge.net/p/sevenzip/bugs/2176/

The bugreport contains a link to the collected fixes
https://github.com/aonez/Keka/files/2940620/15-Enhanced-encryption-strength.patch.zip

Please consider creating adding a patch for this, as the encryption used in 7z is not reliable without it.

There is no CVE I know of for this issue.


Additional info:
* package version(s) 16.02-5
https://sourceforge.net/p/sevenzip/bugs/2176/

This task depends upon

Comment by Eli Schwartz (eschwartz) - Thursday, 03 October 2019, 20:09 GMT
Interesting security bug, not sure what to do though. Is upstream planning on porting the new version???

Is p7zip dead software that should never be used for security because it is a joke due to tar, gz, xz, zstd, etc. existing, and when gpg does much more stable encryption by people who don't consider security to actually be literally a joke?
Comment by Varrel Bauer (Varrel1337) - Friday, 04 October 2019, 14:18 GMT
There are only irregular p7zip updates release by upstream.

While I agree that gpg would be a better option, 7z is a common format for exchanging encrypted archives between different operating systems.
Comment by leazar (leazar) - Tuesday, 19 November 2019, 16:06 GMT
There's a patch (found in the p7zip issue tracker for #2176) to use the updated code from 19.00 in p7zip 16.02 at https://github.com/aonez/Keka/files/2940620/15-Enhanced-encryption-strength.patch.zip

Loading...