Bug 7482 - [UPDATE REQUEST] p7zip 15.14.1 -> 16.02 CVE-2016-9296 CVE-2017-17969 CVE-2018-5996
: [UPDATE REQUEST] p7zip 15.14.1 -> 16.02 CVE-2016-9296 CVE-2017-17969 CVE-2018...
Status: CONFIRMED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
http://www.linuxsecurity.com/content/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-03 14:07 MSK by Nemial
Modified: 2018-03-03 19:27 MSK (History)
5 users (show)

See Also:
RPM Package: p7zip
ISO-related:
Bad POT generating:
Upstream:


Attachments
test archive (12.77 KB, application/zip)
2016-11-03 15:20 MSK, Vladimir Potapov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Nemial 2016-11-03 14:07:37 MSK
Update to version 16.02. It fixes CVE-2016-2334 and CVE-2016-2335
Comment 1 Nemial 2016-11-03 14:10:29 MSK
Advisory: "Update p7zip to new version 16.02"
https://abf.rosalinux.ru/build_lists/2746890
https://abf.rosalinux.ru/build_lists/2746889
Comment 2 Vladimir Potapov 2016-11-03 15:20:24 MSK
Created attachment 4559 [details]
test archive

The update break filelist encoding
************************************
QA Denied
Comment 3 Vladimir Potapov 2016-11-03 15:21:09 MSK
(In reply to comment #2)
> Created attachment 4559 [details]
> test archive
> 
> The update break filelist encoding
> ************************************
> QA Denied

P.S. Open by PeaZip
Comment 4 Zombie Ryushu 2016-12-01 03:54:27 MSK
There exists additional CVEs for this.

Bug #1394790 - CVE-2016-9296 p7zip: Null pointer dereference in 7zIn.cpp
        https://bugzilla.redhat.com/show_bug.cgi?id=1394790
Comment 5 Zombie Ryushu 2018-02-05 14:47:36 MSK
'landave' discovered a heap-based buffer overflow vulnerability in the NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file archiver with high compression ratio. A remote attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running p7zip, if a specially crafted shrinked ZIP archive is processed.

https://www.debian.org/security/2018/dsa-4104
Comment 6 Giovanni Mariani 2018-03-03 18:19:30 MSK
Advisory:
Update p7zip to release 16.02 and added patches to fix CVE-2016-9296, CVE-2017-17969 and CVE-2018-5996.
Comment 7 Giovanni Mariani 2018-03-03 18:24:44 MSK
Vladimir, how I am supposed to use your test archive?
Trying to open it in peazip results in a segmentation fault with both our older 15.14.1 and newer 16.02 p7zip...

While doing a "7z l Проверочный архив.zip" in a konsole (for both releases), gives me the following error:
***********************
Scanning the drive for archives:

ERROR: No more files
Проверочный

System ERROR:
Unknown error -2147024872
**********************

It looks like our original package is broken exactly as the new one...
Comment 8 Giovanni Mariani 2018-03-03 19:18:15 MSK
(In reply to comment #7)
> Vladimir, how I am supposed to use your test archive?
> Trying to open it in peazip results in a segmentation fault with both our
> older 15.14.1 and newer 16.02 p7zip...
> 
> While doing a "" in a konsole (for both releases),
> gives me the following error:
> It looks like our original package is broken exactly as the new one...

Discard all the above: I forgot to put the zip filename between "" when running 7z from a console...
To do more testing I made also a build without the Patch7 (because it needed a rediff and I don't really understand the code it was patching, so I'm not sure the rediff result is effective; and because this patch apparently mess with encoding and UTF).
The results:
1) all the builds (15.14.1, 16.02 and 16.02 w/o P7) have a segfault when trying to open the test archive with peazip.

2) Doing a: '7z l "Проверочный архив.zip"' in a konsole has the following results:
15.14.1  =>  works and shows as the archive namefile as "»α«óÑα«τ¡δ⌐ Σá⌐½.doc"
16.02    =>  segfault /usr/bin/7z: line 2: 16584 Bus error (core dumped)
"/usr/lib64/p7zip/7z" "$@"
Comment 9 Giovanni Mariani 2018-03-03 19:27:28 MSK
(In reply to comment #7)
> Vladimir, how I am supposed to use your test archive?
> Trying to open it in peazip results in a segmentation fault with both our
> older 15.14.1 and newer 16.02 p7zip...
> 
> While doing a "" in a konsole (for both releases),
> gives me the following error:
> It looks like our original package is broken exactly as the new one...

Discard all the above: I forgot to put the zip filename between "" when running 7z from a console...
To do more testing I made also a build without the Patch7 (because it needed a rediff and I don't really understand the code it was patching, so I'm not sure the rediff result is effective; and because this patch apparently mess with encoding and UTF).
The results:
1) all the builds (15.14.1, 16.02 and 16.02 w/o P7) have a segfault when trying to open the test archive with peazip.

2) Doing a: '7z l "Проверочный архив.zip"' in a konsole has the following results:
15.14.1  =>  works and shows the archived namefile as "»α«óÑα«τ¡δ⌐ Σá⌐½.doc"

16.02    =>  segfault /usr/bin/7z: line 2: 16584 Bus error (core dumped)

16.02 w/o P7 => works, but shows the archived namefile as "¯à®¢¥à®ç­ë© ä ©«.doc"

So the patch 7 for libnatspec support is both needed and likely to be the culprit for the above failure... but redoing this one is work for someone with more knowledge than me.

Retiring QA request...

BTW, the package I did are here (forgot to add the above...):
https://abf.rosalinux.ru/build_lists/2920830
https://abf.rosalinux.ru/build_lists/2920831