p7zip has a new upstream: https://github.com/jinfeihan57/p7zip The latest version is 17.02. 17.01 fixed security issues (the other two, we previously fixed): https://github.com/jinfeihan57/p7zip/releases Alt-Linux has packaged the new upstream: http://sisyphus.ru/en/srpm/p7zip Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienAssignee: bugsquad => geiger.david68210
Status comment: (none) => Fixed in new upstream in 17.01
Nicolas L has updated to 17.02 in SVN, but gets linking errors: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20201228222624.neoclust.duvel.1495/log/p7zip-17.02-1.mga8/build.x86_64.0.20201228222700.log It looks to me like p7zip bundles something called fast-lzma2 but fails to link this internal library when linking Lzma2Encoder.o. Looks like it also bundles ncompress code but fails to link that in when it links XzHandler.o.
Status comment: Fixed in new upstream in 17.01 => Linking errors building new upstream version 17.02
CC: (none) => mageia
Done for both Cauldron and mga7! latest 17.03 release now build fine.
thank you. src: p7zip-17.03-1.mga7
Whiteboard: MGA7TOO => (none)Assignee: geiger.david68210 => qa-bugs
Suggested Advisory: ======================== Updated p7zip package fixes security vulnerabilities: Insufficient exception handling in the method NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip can lead to multiple memory corruptions within the PPMd code, allows remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive. (CVE-2018-5996). Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive. (CVE-2018-10115). References: - https://nvd.nist.gov/vuln/detail/CVE-2018-5996 - https://nvd.nist.gov/vuln/detail/CVE-2018-10115 - https://github.com/jinfeihan57/p7zip/releases ======================== Updated packages in core/updates_testing: ======================== p7zip-17.03-1.mga7 from p7zip-17.03-1.mga7.src.rpm Related: I don't know why nvd.nist.gov talks about 18.0x version in adv whereas upstream (https://github.com/jinfeihan57/p7zip) has only 17.03 for latest... Leaving this for David W to be corrected.
Source RPM: p7zip-16.02-7.mga8.src.rpm => p7zip-16.02-5.mga7.src.rpmStatus comment: Linking errors building new upstream version 17.02 => (none)CVE: (none) => CVE-2018-5996, CVE-2018-10115Version: Cauldron => 7
Hmm, well it's good that we got Cauldron updated to the new upstream. It turns out I even missed this one in Bugzilla. These CVEs are for the RAR extraction code, which we already had disabled. The versions in the CVE descriptions are for 7-zip, not p7zip. *** This bug has been marked as a duplicate of bug 22613 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE