Hi all, p7zip is in version 16.02-4.mga7 for the cauldron, and people recently discovered a vulnerability and suggest to update p7zip to version 18. <Sophie> 16.02-4.mga7 // core-release (Mga, cauldron, x86_64) <Sophie> 16.02-4.mga7 // core-release (Mga, cauldron, i586) The great sophie told me daviddavid is in charge. <Sophie> For Mageia (p7zip): daviddavid Good evening ! Jibz
Ok, and where is the 18 release?
CC: (none) => geiger.david68210
Meh... You are right, there is no code available now for Linux... https://sourceforge.net/p/p7zip/discussion/383043/thread/fa143cf2/?limit=25#2325 It seems their linux developer is not responding for months. So, do we close this bug report ?
(In reply to David GEIGER from comment #1) > Ok, and where is the 18 release? (In reply to J-B B from comment #2) > Meh... > > You are right, there is no code available now for Linux... > https://sourceforge.net/p/p7zip/discussion/383043/thread/fa143cf2/ > ?limit=25#2325 > It seems their linux developer is not responding for months. > > So, do we close this bug report ? No, afaik the vulnerabilities solved by version 18 exist in Linux, too. Btw, Debian seems to have a patch for CVE-2017-17969 https://sourceforge.net/p/p7zip/bugs/204/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888297 CVE-2018-5996 sees to be for 7zip-rar only... we don't have that, do we? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888314
Keywords: (none) => UPSTREAMCC: (none) => marja11QA Contact: (none) => securitySee Also: (none) => https://sourceforge.net/p/p7zip/bugs/204/, http://bugs.debian.org/888297Summary: p7zip has a vulnerability => p7zip has a vulnerability CVE-2017-17969Assignee: bugsquad => geiger.david68210Component: RPM Packages => Security
Jibz, if you had stayed on IRC longer I'd have told you the RAR bugs (CVE-2018-5996 and CVE-2018-10115) don't affect us (Bug 22613). Also, please search bugzilla first as we already fixed CVE-2017-17969. *** This bug has been marked as a duplicate of bug 22523 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE
Hi David, Sorry, I sleep at night and I turn the computer off. And I searched on bugzilla, try by yourself, no result for p7zip, and no bug 22523 nor 22613 for the research p7. Your message looks like a reproach, I'm sorry to annoy.
It's not a reproach, but I need you to learn how to search bugzilla if you're going to report security issues (which is quite welcome, in fact one of the CVEs in one of the links you posted on IRC I wasn't previously aware of). You have to do advanced search and at least make sure FIXED also gets searched (hold the Ctrl key when you click on FIXED). You would have also needed to select INVALID to be able to find the RAR issue I had previously filed a bug for.
(In reply to J-B B from comment #5) > And I searched on bugzilla, try by yourself, > no result for p7zip, and no bug 22523 nor 22613 for the research p7. I didn't search well, either, I only did a quick search (using the small search bos at the top of this screen) for CVE-2017-17969 because I wrongly assumed this issue couldn't already have been fixed. I should have done ALL CVE-2017-17969 Putting "ALL" before the search strings finds all related bugs, regardless of whether they're open, fixed, invalid or whatnot. ALL p7zip returns 12 bug reports, including the ones we should have seen ;-)