From the advisory: "The vulnerabilities described in this advisory can potentially affect programs that handle the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO." Ignore the libarchive advisory for Gentoo - that's ancient. What certainly appears to be needed is for the older app-arch/p7zip-4.55-r1 to be removed (perhaps patched?).
4.57 that is marked as not vulnerable by CERT-FI is in the tree and stable, since january and march, see bug 207520 and bug 213595. Removal of the affected versions would be nice, but is up to the maintainer. For us, this now poses the question whether we send a GLSA. I'll inquire upstream about impact.
removed 4.55* from portage. who should close the bug now?
We will, as soon as we know what the scope of the vulnerability is.
Quoting upstream: I don't remember exact things that were fixed according that Test Suite. Maybe I've fixed some things, maybe not.
(In reply to comment #4) > Quoting upstream: > I don't remember exact things that were fixed according that Test Suite. Maybe > I've fixed some things, maybe not. > great :/ I'd be in favor of just closing this without GLSA... so voting NO.
(In reply to comment #5) > (In reply to comment #4) > > Quoting upstream: > > I don't remember exact things that were fixed according that Test Suite. Maybe > > I've fixed some things, maybe not. > > > > great :/ > I'd be in favor of just closing this without GLSA... so voting NO. OK, let's say "fixed".
