Summary: | <app-arch/p7zip-16.02-r1: multiple vulnerabilities (CVE-2016-{2334,2335}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chí-Thanh Christopher Nguyễn <chithanh> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ab4bd, mail, mjo |
Priority: | Normal | Flags: | kensington:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
=app-arch/p7zip-16.02-r1
|
Runtime testing required: | --- |
Description
Chí-Thanh Christopher Nguyễn
2016-05-12 13:29:40 UTC
waiting on release so I can update, should be auto-notified when it is released. 7-Zip 16.00 was released on May 10 [1] and is available for download [2]. [1] http://www.7-zip.org/history.txt [2] http://www.7-zip.org/download.html that's not p7zip though :( so, not an issue? As far as I understand, it is not an issue for the 7za binary. The discussion does not say anything about the other binaries. p7zip 16.02 was released upstream, hopefully fixing these issues. Ok, I've updated the package, 16.02 is now out. Should we cc arches? CVE-2016-2335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2335): The CInArchive::ReadFileItem method in Archive/Udf/UdfIn.cpp in 7zip 9.20 and 15.05 beta and p7zip allows remote attackers to cause a denial of service (out-of-bounds read) or execute arbitrary code via the PartitionRef field in the Long Allocation Descriptor in a UDF file. Still trying to track that the vulnerabilities have been patched. Fixed version is in repository since https://gitweb.gentoo.org/repo/gentoo.git/commit/app-arch/p7zip?id=98be5eb1827845a1551e998392c603e692815ccc @arches, please stabilize: =app-arch/p7zip-16.02-r1 amd64 stable x86 stable sparc stable ia64 stable ppc stable hppa and ppc64 remain, do we care about these arches, I forget if the last council meeting made a hard decision here. oops, got this confused with the memcached cleanup :D ppc64 stable Stable for HPPA. New GLSA request filed. @ Maintainer(s): Please cleanup <app-arch/p7zip-16.02-r1! cleaned up, removing self from cc This issue was resolved and addressed in GLSA 201701-27 at https://security.gentoo.org/glsa/201701-27 by GLSA coordinator Aaron Bauman (b-man). |