Bug 28903

Summary: p7zip new security issue CVE-2021-3465
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: p7zip-17.04-1.mga9.src.rpm CVE: CVE-2021-3465
Status comment:

Nicolas Salguero 2021-05-11 10:43:14 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Patch available from upstream
Source RPM: (none) => p7zip-17.04-1.mga9.src.rpm

Comment 1 Lewis Smith 2021-05-11 20:56:12 CEST 
Assigning to DavidG, registered & active maintainer of this.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2021-05-30 00:05:35 CEST 
Fedora has issued an advisory on April 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OJQ6YRT2OALFI2LGZSLJD5T74MV6PJ7V/

It doesn't list any CVEs, but Fedora may have relevant patches for this package.
Comment 3 David Walser 2021-06-28 22:24:25 CEST 
Advisory:
========================

Updated p7zip package fixes security vulnerabilities:

In p7zip-17.03, the function NCompress::CCopyCoder::Code in
CPP/7zip/Common/StreamObjects.cpp will call outStream->Write where a memcpy
uses a NULL pointer as destination address, leading to a crash (CVE-2021-3465).

Null pointer dereference in function Reserve() found in p7zip 16.02
(rhbz#1951218).

Null Pointer Dereference  in function NArchive::NLzh::CItem::GetUnixTime found
in p7zip 16.02 (rhbz#1951224).

The p7zip package has been patched to fix these issues.

Also, the Mageia 7 package has been updated to version 17.03.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3465
https://github.com/jinfeihan57/p7zip/releases
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/OQBZYFULI5NBGLWDHKHSVMRMYNY2XC5Q/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OJQ6YRT2OALFI2LGZSLJD5T74MV6PJ7V/
========================

Updated packages in core/updates_testing:
========================
p7zip-17.03-1.1.mga7
p7zip-17.03-1.1.mga8

from SRPMS:
p7zip-17.03-1.1.mga7.src.rpm
p7zip-17.03-1.1.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status comment: Patch available from upstream => (none)
Assignee: geiger.david68210 => qa-bugs

David Walser 2021-06-28 22:35:36 CEST

Version: Cauldron => 8

Comment 4 PC LX 2021-06-29 12:35:58 CEST 
Installed and tested without issue.

Tested all major features (create, update, test, list, extract) on new and existing 7z files.
Many of the existing files are more than a decade old so it should be a good test of backward compatibility.

One good any to test existing files in the home directory can be done by using the following command:
find ~/ -ipath '*.7z' -exec 7z t '{}' ';'

No regressions.



System: Mageia 7, x86_64, Intel CPU.



$ uname -a
Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q p7zip
p7zip-17.03-1.1.mga7

CC: (none) => mageia
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 5 Brian Rockwell 2021-06-30 20:45:10 CEST 
Upgraded and performed archival and then a restore.

Working as designed.

CC: (none) => brtians1
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 6 Aurelien Oudelet 2021-06-30 21:29:59 CEST 
Validating.
Advisory from Comment 3 pushed.

CC: (none) => ouaurelien

Aurelien Oudelet 2021-06-30 21:30:11 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-3465

Comment 7 Mageia Robot 2021-07-01 02:00:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0305.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED