Bug 7482 - [UPDATE REQUEST] p7zip 15.14.1 -> 16.02 CVE-2017-17969
: [UPDATE REQUEST] p7zip 15.14.1 -> 16.02 CVE-2017-17969
Status: CONFIRMED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
http://www.linuxsecurity.com/content/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-03 14:07 MSK by Nemial
Modified: 2018-02-05 14:48 MSK (History)
5 users (show)

See Also:
RPM Package: p7zip
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified-


Attachments
test archive (12.77 KB, application/zip)
2016-11-03 15:20 MSK, Vladimir Potapov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Nemial 2016-11-03 14:07:37 MSK
Update to version 16.02. It fixes CVE-2016-2334 and CVE-2016-2335
Comment 1 Nemial 2016-11-03 14:10:29 MSK
Advisory: "Update p7zip to new version 16.02"
https://abf.rosalinux.ru/build_lists/2746890
https://abf.rosalinux.ru/build_lists/2746889
Comment 2 Vladimir Potapov 2016-11-03 15:20:24 MSK
Created attachment 4559 [details]
test archive

The update break filelist encoding
************************************
QA Denied
Comment 3 Vladimir Potapov 2016-11-03 15:21:09 MSK
(In reply to comment #2)
> Created attachment 4559 [details]
> test archive
> 
> The update break filelist encoding
> ************************************
> QA Denied

P.S. Open by PeaZip
Comment 4 Zombie Ryushu 2016-12-01 03:54:27 MSK
There exists additional CVEs for this.

Bug #1394790 - CVE-2016-9296 p7zip: Null pointer dereference in 7zIn.cpp
        https://bugzilla.redhat.com/show_bug.cgi?id=1394790
Comment 5 Zombie Ryushu 2018-02-05 14:47:36 MSK
'landave' discovered a heap-based buffer overflow vulnerability in the NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file archiver with high compression ratio. A remote attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running p7zip, if a specially crafted shrinked ZIP archive is processed.

https://www.debian.org/security/2018/dsa-4104