OpenSUSE has issued an advisory on May 8: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/OQBZYFULI5NBGLWDHKHSVMRMYNY2XC5Q/ Reference: https://github.com/jinfeihan57/p7zip/issues/130
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Patch available from upstreamSource RPM: (none) => p7zip-17.04-1.mga9.src.rpm
Assigning to DavidG, registered & active maintainer of this.
Assignee: bugsquad => geiger.david68210
Fedora has issued an advisory on April 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OJQ6YRT2OALFI2LGZSLJD5T74MV6PJ7V/ It doesn't list any CVEs, but Fedora may have relevant patches for this package.
Advisory: ======================== Updated p7zip package fixes security vulnerabilities: In p7zip-17.03, the function NCompress::CCopyCoder::Code in CPP/7zip/Common/StreamObjects.cpp will call outStream->Write where a memcpy uses a NULL pointer as destination address, leading to a crash (CVE-2021-3465). Null pointer dereference in function Reserve() found in p7zip 16.02 (rhbz#1951218). Null Pointer Dereference in function NArchive::NLzh::CItem::GetUnixTime found in p7zip 16.02 (rhbz#1951224). The p7zip package has been patched to fix these issues. Also, the Mageia 7 package has been updated to version 17.03. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3465 https://github.com/jinfeihan57/p7zip/releases https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/OQBZYFULI5NBGLWDHKHSVMRMYNY2XC5Q/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OJQ6YRT2OALFI2LGZSLJD5T74MV6PJ7V/ ======================== Updated packages in core/updates_testing: ======================== p7zip-17.03-1.1.mga7 p7zip-17.03-1.1.mga8 from SRPMS: p7zip-17.03-1.1.mga7.src.rpm p7zip-17.03-1.1.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus comment: Patch available from upstream => (none)Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 8
Installed and tested without issue. Tested all major features (create, update, test, list, extract) on new and existing 7z files. Many of the existing files are more than a decade old so it should be a good test of backward compatibility. One good any to test existing files in the home directory can be done by using the following command: find ~/ -ipath '*.7z' -exec 7z t '{}' ';' No regressions. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q p7zip p7zip-17.03-1.1.mga7
CC: (none) => mageiaWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Upgraded and performed archival and then a restore. Working as designed.
CC: (none) => brtians1Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory from Comment 3 pushed.
CC: (none) => ouaurelien
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-3465
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0305.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED