FS#64002 - [p7zip] Weak Encryption issue

Attached to Project: Arch Linux
Opened by Varrel Bauer (Varrel1337) - Thursday, 03 October 2019, 17:29 GMT
Last edited by Evangelos Foutras (foutrelis) - Tuesday, 12 April 2022, 04:09 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Evangelos Foutras (foutrelis)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:

Version 19.00 of 7zip has fixed some issues with the 7z encryption
https://www.7-zip.org/history.txt

Before this fix (among other things) only 8 bytes were used for initialization, which is a violation of the AES standard.

Reported here
https://twitter.com/3lbios/status/1087848040583626753

Bugreport
https://sourceforge.net/p/sevenzip/bugs/2176/

The bugreport contains a link to the collected fixes
https://github.com/aonez/Keka/files/2940620/15-Enhanced-encryption-strength.patch.zip

Please consider creating adding a patch for this, as the encryption used in 7z is not reliable without it.

There is no CVE I know of for this issue.


Additional info:
* package version(s) 16.02-5
https://sourceforge.net/p/sevenzip/bugs/2176/

This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Tuesday, 12 April 2022, 04:09 GMT
Reason for closing:  Fixed
Additional comments about closing:  p7zip 1:17.04-1 (https://github.com/jinfeihan57/p7zip/co mmit/6106df26ff64)
Comment by Eli Schwartz (eschwartz) - Thursday, 03 October 2019, 20:09 GMT
Interesting security bug, not sure what to do though. Is upstream planning on porting the new version???

Is p7zip dead software that should never be used for security because it is a joke due to tar, gz, xz, zstd, etc. existing, and when gpg does much more stable encryption by people who don't consider security to actually be literally a joke?
Comment by Varrel Bauer (Varrel1337) - Friday, 04 October 2019, 14:18 GMT
There are only irregular p7zip updates release by upstream.

While I agree that gpg would be a better option, 7z is a common format for exchanging encrypted archives between different operating systems.
Comment by leazar (leazar) - Tuesday, 19 November 2019, 16:06 GMT
There's a patch (found in the p7zip issue tracker for #2176) to use the updated code from 19.00 in p7zip 16.02 at https://github.com/aonez/Keka/files/2940620/15-Enhanced-encryption-strength.patch.zip

Loading...