| Summary: | [UPDATE REQUEST] p7zip 15.14.1 -> 16.02 CVE-2016-9296 CVE-2017-17969 CVE-2018-5996 | ||
|---|---|---|---|
| Product: | [ROSA-based products] ROSA Fresh | Reporter: | Nemial <negry.mischa> |
| Component: | Packages from Main | Assignee: | ROSA Linux Bugs <bugs> |
| Status: | VERIFIED FIXED | QA Contact: | ROSA Linux Bugs <bugs> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrey.bondrov, denis.silakov, mc2374, negry.mischa, pastordidi, v.potapov |
| Version: | Fresh | Flags: | v.potapov:
qa_verified+
andrey.bondrov: published+ |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.linuxsecurity.com/content/view/169987/102/ | ||
| Whiteboard: | |||
| Platform: | --- | ROSA Vulnerability identifier: | |
| RPM Package: | p7zip | ISO-related: | |
| Bad POT generating: | Upstream: | ||
| Attachments: | test archive | ||
|
Description
Nemial
2016-11-03 14:07:37 MSK
Advisory: "Update p7zip to new version 16.02" https://abf.rosalinux.ru/build_lists/2746890 https://abf.rosalinux.ru/build_lists/2746889 Created attachment 4559 [details]
test archive
The update break filelist encoding
************************************
QA Denied
(In reply to comment #2) > Created attachment 4559 [details] > test archive > > The update break filelist encoding > ************************************ > QA Denied P.S. Open by PeaZip There exists additional CVEs for this.
Bug #1394790 - CVE-2016-9296 p7zip: Null pointer dereference in 7zIn.cpp
https://bugzilla.redhat.com/show_bug.cgi?id=1394790
'landave' discovered a heap-based buffer overflow vulnerability in the NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file archiver with high compression ratio. A remote attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running p7zip, if a specially crafted shrinked ZIP archive is processed. https://www.debian.org/security/2018/dsa-4104 Advisory: Update p7zip to release 16.02 and added patches to fix CVE-2016-9296, CVE-2017-17969 and CVE-2018-5996. Vladimir, how I am supposed to use your test archive? Trying to open it in peazip results in a segmentation fault with both our older 15.14.1 and newer 16.02 p7zip... While doing a "7z l Проверочный архив.zip" in a konsole (for both releases), gives me the following error: *********************** Scanning the drive for archives: ERROR: No more files Проверочный System ERROR: Unknown error -2147024872 ********************** It looks like our original package is broken exactly as the new one... (In reply to comment #7) > Vladimir, how I am supposed to use your test archive? > Trying to open it in peazip results in a segmentation fault with both our > older 15.14.1 and newer 16.02 p7zip... > > While doing a "" in a konsole (for both releases), > gives me the following error: > It looks like our original package is broken exactly as the new one... Discard all the above: I forgot to put the zip filename between "" when running 7z from a console... To do more testing I made also a build without the Patch7 (because it needed a rediff and I don't really understand the code it was patching, so I'm not sure the rediff result is effective; and because this patch apparently mess with encoding and UTF). The results: 1) all the builds (15.14.1, 16.02 and 16.02 w/o P7) have a segfault when trying to open the test archive with peazip. 2) Doing a: '7z l "Проверочный архив.zip"' in a konsole has the following results: 15.14.1 => works and shows as the archive namefile as "»α«óÑα«τ¡δ⌐ Σá⌐½.doc" 16.02 => segfault /usr/bin/7z: line 2: 16584 Bus error (core dumped) "/usr/lib64/p7zip/7z" "$@" (In reply to comment #7) > Vladimir, how I am supposed to use your test archive? > Trying to open it in peazip results in a segmentation fault with both our > older 15.14.1 and newer 16.02 p7zip... > > While doing a "" in a konsole (for both releases), > gives me the following error: > It looks like our original package is broken exactly as the new one... Discard all the above: I forgot to put the zip filename between "" when running 7z from a console... To do more testing I made also a build without the Patch7 (because it needed a rediff and I don't really understand the code it was patching, so I'm not sure the rediff result is effective; and because this patch apparently mess with encoding and UTF). The results: 1) all the builds (15.14.1, 16.02 and 16.02 w/o P7) have a segfault when trying to open the test archive with peazip. 2) Doing a: '7z l "Проверочный архив.zip"' in a konsole has the following results: 15.14.1 => works and shows the archived namefile as "»α«óÑα«τ¡δ⌐ Σá⌐½.doc" 16.02 => segfault /usr/bin/7z: line 2: 16584 Bus error (core dumped) 16.02 w/o P7 => works, but shows the archived namefile as "¯à®¢¥à®çë© ä ©«.doc" So the patch 7 for libnatspec support is both needed and likely to be the culprit for the above failure... but redoing this one is work for someone with more knowledge than me. Retiring QA request... BTW, the package I did are here (forgot to add the above...): https://abf.rosalinux.ru/build_lists/2920830 https://abf.rosalinux.ru/build_lists/2920831 Advisory: "Update p7zip to new version 16.02. Fix segmentation fault in natspec support patch." https://abf.rosalinux.ru/build_lists/3006734 https://abf.rosalinux.ru/build_lists/3006735 (In reply to Vladimir Potapov from comment #2) > Created attachment 4559 [details] > test archive > Its also work. The update is sent to expanded testing ***************************************** p7zip-16.02-3 https://abf.rosalinux.ru/build_lists/3006734 https://abf.rosalinux.ru/build_lists/3006735 ******************************* Advisory ************************* Update to version 16.02. It fixes CVE-2016-2334 and CVE-2016-2335 ****************************************************************** QA Verified |