Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 213889

Summary: app-arch/p7zip < 4.5.7 - CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: radek
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
Whiteboard: B3? [noglsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2008-03-19 05:41:25 UTC 
From the advisory:

   "The vulnerabilities described in this advisory can potentially affect 
    programs that handle the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA,
    RAR, TAR, ZIP and ZOO."

Ignore the libarchive advisory for Gentoo - that's ancient. What certainly appears to be needed is for the older app-arch/p7zip-4.55-r1 to be removed (perhaps patched?).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-19 11:32:54 UTC 
4.57 that is marked as not vulnerable by CERT-FI is in the tree and stable, since january and march, see bug 207520 and bug 213595.

Removal of the affected versions would be nice, but is up to the maintainer. For us, this now poses the question whether we send a GLSA. I'll inquire upstream about impact.
Comment 2 Radoslaw Stachowiak (RETIRED) gentoo-dev 2008-03-21 11:23:24 UTC 
removed 4.55* from portage. 

who should close the bug now?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 12:27:44 UTC 
We will, as soon as we know what the scope of the vulnerability is.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 17:17:23 UTC 
Quoting upstream:
I don't remember exact things that were fixed according that Test Suite. Maybe
I've fixed some things, maybe not.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-08 21:33:10 UTC 
(In reply to comment #4)
> Quoting upstream:
> I don't remember exact things that were fixed according that Test Suite. Maybe
> I've fixed some things, maybe not.
> 

great :/
I'd be in favor of just closing this without GLSA... so voting NO.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-04-09 17:16:41 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > Quoting upstream:
> > I don't remember exact things that were fixed according that Test Suite. Maybe
> > I've fixed some things, maybe not.
> > 
> 
> great :/
> I'd be in favor of just closing this without GLSA... so voting NO.


OK, let's say "fixed".