Bug 27713

Summary: p7zip new security issues CVE-2018-5996 and CVE-2018-10115
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, ouaurelien
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: p7zip-16.02-5.mga7.src.rpm CVE: CVE-2018-5996, CVE-2018-10115
Status comment:

Description David Walser 2020-12-02 21:47:52 CET 
p7zip has a new upstream:
https://github.com/jinfeihan57/p7zip

The latest version is 17.02.  17.01 fixed security issues (the other two, we previously fixed):
https://github.com/jinfeihan57/p7zip/releases

Alt-Linux has packaged the new upstream:
http://sisyphus.ru/en/srpm/p7zip

Mageia 7 is also affected.
David Walser 2020-12-02 21:48:00 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2020-12-07 10:49:24 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => geiger.david68210

David Walser 2020-12-27 21:19:41 CET

Status comment: (none) => Fixed in new upstream in 17.01

Comment 2 David Walser 2020-12-28 23:54:06 CET 
Nicolas L has updated to 17.02 in SVN, but gets linking errors:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20201228222624.neoclust.duvel.1495/log/p7zip-17.02-1.mga8/build.x86_64.0.20201228222700.log

It looks to me like p7zip bundles something called fast-lzma2 but fails to link this internal library when linking Lzma2Encoder.o.  Looks like it also bundles ncompress code but fails to link that in when it links XzHandler.o.

Status comment: Fixed in new upstream in 17.01 => Linking errors building new upstream version 17.02

David Walser 2020-12-28 23:54:17 CET

CC: (none) => mageia

Comment 3 David GEIGER 2021-01-12 06:44:06 CET 
Done for both Cauldron and mga7! latest 17.03 release now build fine.
Comment 4 Nicolas Lécureuil 2021-01-12 11:00:26 CET 
thank you. 


src:
    p7zip-17.03-1.mga7

Whiteboard: MGA7TOO => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 5 Aurelien Oudelet 2021-01-12 14:11:39 CET 
Suggested Advisory:
========================

Updated p7zip package fixes security vulnerabilities:

Insufficient exception handling in the method NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip can lead to multiple memory corruptions within the PPMd code, allows remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive. (CVE-2018-5996).

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive. (CVE-2018-10115).

References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-5996
- https://nvd.nist.gov/vuln/detail/CVE-2018-10115
- https://github.com/jinfeihan57/p7zip/releases
========================

Updated packages in core/updates_testing:
========================
p7zip-17.03-1.mga7

from p7zip-17.03-1.mga7.src.rpm



Related: I don't know why nvd.nist.gov talks about 18.0x version in adv whereas upstream (https://github.com/jinfeihan57/p7zip) has only 17.03 for latest...
Leaving this for David W to be corrected.

Source RPM: p7zip-16.02-7.mga8.src.rpm => p7zip-16.02-5.mga7.src.rpm
Status comment: Linking errors building new upstream version 17.02 => (none)
CVE: (none) => CVE-2018-5996, CVE-2018-10115
Version: Cauldron => 7

Comment 6 David Walser 2021-01-12 17:35:11 CET 
Hmm, well it's good that we got Cauldron updated to the new upstream.  It turns out I even missed this one in Bugzilla.  These CVEs are for the RAR extraction code, which we already had disabled.  The versions in the CVE descriptions are for 7-zip, not p7zip.

*** This bug has been marked as a duplicate of bug 22613 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE