Bug 22613

Summary: p7zip new security issue CVE-2018-5996
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: p7zip-16.02-2.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-02-16 21:22:29 CET 
SUSE has issued an advisory today (February 16):
https://lists.opensuse.org/opensuse-security-announce/2018-02/msg00034.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-16 21:22:51 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-02-16 21:44:47 CET 
FYI, Fedora has an "improved security patch" for the last CVE we fixed:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JDDLRNAWT4IVFFYKNVAKZR2C4QP6TX2T/
Comment 2 David GEIGER 2018-02-17 02:34:24 CET 
@David
CVE-2016-1372 is only for 9.20.1 release not for our 16.02 release
Comment 3 David Walser 2018-02-17 02:53:14 CET 
(In reply to David GEIGER from comment #2)
> @David
> CVE-2016-1372 is only for 9.20.1 release not for our 16.02 release

So in other words it only affects Mageia 5 and we won't be fixing it.  OK.

Summary: p7zip new security issues CVE-2016-1372 and CVE-2018-5996 => p7zip new security issue CVE-2018-5996

Comment 4 David GEIGER 2018-02-17 03:39:03 CET 
So done for mga6 and Cauldron!
Comment 5 David Walser 2018-02-17 03:46:21 CET 
Thanks!

I see now that this CVE only affects the RAR support, which our package removes.

Closing.

Status: NEW => RESOLVED
Whiteboard: MGA6TOO => (none)
Resolution: (none) => INVALID

Comment 6 David Walser 2018-05-08 17:09:10 CEST 
There is also a CVE-2018-10115 that only affects RAR, so that doesn't affect us either.
Comment 7 David Walser 2021-01-12 17:35:11 CET 
*** Bug 27713 has been marked as a duplicate of this bug. ***