Ubuntu
p7zip package

7z code execution vulnerabilites

Bug #1581381 reported by pcworld
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
p7zip (Debian)
Fix Released
Unknown
p7zip (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Precise by Mathew Hodson
Nominated for Trusty by Mathew Hodson
Nominated for Wily by Mathew Hodson
Nominated for Xenial by Mathew Hodson

Bug Description

In 7z, multiple security vulnerabilites were discovered, supposedly allowing "in some circumstances … arbitrary code execution": http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
p7zip should be updated to include the fixes. Reportedly there is no new release of p7zip yet, so p7zip must be patched manually for now, the patches can be taken from 7zip: https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/

See original description

CVE References

pcworld (pcworld)
information type: Private Security → Public Security
Mathew Hodson (mhodson)
Changed in p7zip (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Mathew Hodson (mhodson) wrote :

This bug was fixed in the package p7zip (15.14.1+dfsg-2)

---
p7zip (15.14.1+dfsg-2) unstable; urgency=high

  * Fix the heap buffer overflow in HFS handler (CVE-2016-2334) and
    out of bounds read in UDF handler (CVS-2016-2335) using patches from
    https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/
    (closes: #824160).

 -- Robert Luberda <email address hidden> Sun, 15 May 2016 11:35:38 +0200

Changed in p7zip (Ubuntu):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in p7zip (Debian):
status: Unknown → Fix Released
pcworld (pcworld)
description: updated
Revision history for this message
pcworld (pcworld) wrote :

Is someone working on backporting this to older releases? This bug seems to be quite serious.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in p7zip (Ubuntu):
status: Fix Released → Incomplete
Revision history for this message
Amr Ibrahim (amribrahim1987) wrote :

Fixed in yakkety.

Changed in p7zip (Ubuntu):
status: Incomplete → Opinion
status: Opinion → Fix Released
tags: added: precise trusty xenial
Revision history for this message
Amr Ibrahim (amribrahim1987) wrote :

9.20.1~dfsg.1-4+deb7u2 in Debain has the fix and it's the same Trusty packaging. This could synced to Trusty.
http://snapshot.debian.org/package/p7zip/9.20.1%7Edfsg.1-4%2Bdeb7u2/

Revision history for this message
Mathew Hodson (mhodson) wrote :

It looks like Precise, Trusty, and Vivid got new version from Debian.

Wily and Xenial are still vulnerable.

tags: added: wily
Revision history for this message
Mathew Hodson (mhodson) wrote :

I read the date wrong for the package in Vivid. Vivid is still vulnerable.

9.20.1~dfsg.1-4.1+deb8u2 does exist in Debian stable-sec that could be synced to Vivid though.

Mathew Hodson (mhodson)
tags: added: vivid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.