Bug 33365 - p7zip new security issues CVE-2023-5216[89]
Summary: p7zip new security issues CVE-2023-5216[89]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
URL:
Whiteboard: MGA9TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-04 15:24 CEST by Nicolas Salguero
Modified: 2024-07-05 21:24 CEST (History)
0 users

See Also:
Source RPM: p7zip-17.05-1.mga9.src.rpm
CVE: CVE-2023-52168, CVE-2023-52169
Status comment: Fixed in 7zip 24.01 beta

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-07-04 15:24:37 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/07/03/10

Mageia 9 is also affected.
Nicolas Salguero 2024-07-04 15:25:35 CEST

Source RPM: (none) => p7zip-17.05-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-52168, CVE-2023-52169
Status comment: (none) => Fixed in 7zip 24.01 beta

Comment 1 Lewis Smith 2024-07-05 21:24:43 CEST 
Not quite as obvious as it looks.
 https://github.com/p7zip-project/p7zip
says v17.05 Latest Feb 20, 2023; but cites also 7zip whose homepage
 https://www.7-zip.org/
is entirely Windows, versions up to 24.07 2024/06/19. However, its download page
 https://www.7-zip.org/download.html
includes 7-Zip 24.07 (2024-06-19):
 .tar.xz	64-bit Linux x86-64	7-Zip for Linux: console version
 .tar.xz	32-bit Linux x86

Assigning to DavidG who did earlier version updates.

Assignee: bugsquad => geiger.david68210
Note You need to log in before you can comment on or make changes to this bug.