213889 2008-03-19 05:41 0000 app-arch/p7zip < 4.5.7 - CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats 2008-04-09 17:16:41 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html B3? [noglsa] P2 minor --- 1 jer@gentoo.org security@gentoo.org radek@gentoo.org jer@gentoo.org 2008-03-19 05:41:25 0000 From the advisory: "The vulnerabilities described in this advisory can potentially affect programs that handle the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO." Ignore the libarchive advisory for Gentoo - that's ancient. What certainly appears to be needed is for the older app-arch/p7zip-4.55-r1 to be removed (perhaps patched?). rbu@gentoo.org 2008-03-19 11:32:54 0000 4.57 that is marked as not vulnerable by CERT-FI is in the tree and stable, since january and march, see bug 207520 and bug 213595. Removal of the affected versions would be nice, but is up to the maintainer. For us, this now poses the question whether we send a GLSA. I'll inquire upstream about impact. radek@gentoo.org 2008-03-21 11:23:24 0000 removed 4.55* from portage. who should close the bug now? rbu@gentoo.org 2008-03-21 12:27:44 0000 We will, as soon as we know what the scope of the vulnerability is. rbu@gentoo.org 2008-04-01 17:17:23 0000 Quoting upstream: I don't remember exact things that were fixed according that Test Suite. Maybe I've fixed some things, maybe not. py@gentoo.org 2008-04-08 21:33:10 0000 (In reply to comment #4) > Quoting upstream: > I don't remember exact things that were fixed according that Test Suite. Maybe > I've fixed some things, maybe not. > great :/ I'd be in favor of just closing this without GLSA... so voting NO. falco@gentoo.org 2008-04-09 17:16:41 0000 (In reply to comment #5) > (In reply to comment #4) > > Quoting upstream: > > I don't remember exact things that were fixed according that Test Suite. Maybe > > I've fixed some things, maybe not. > > > > great :/ > I'd be in favor of just closing this without GLSA... so voting NO. OK, let's say "fixed".