Bug 620008 (CVE-2016-9296)

Summary:

<app-arch/p7zip-16.02-r3: Denial of Service vulnerability affects the 16.02 and many old versions of p7zip (null pointer check)

Product:

Gentoo Security

Reporter:

Andrey Ovcharov <sudormrfhalt>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

minor

CC:

prometheanfire

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/

Whiteboard:

B3 [noglsa cve]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
p7zip-16.02-CVE-2016-9296.patch	none

Description Andrey Ovcharov 2017-05-28 12:18:09 UTC

Created attachment 474572 [details, diff]
p7zip-16.02-CVE-2016-9296.patch

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9296

"A null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable folders.PackPositions in function CInArchive::ReadAndDecodePackedStreams in CPP/7zip/Archive/7z/7zIn.cpp, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files."

Comment 1 D'juan McDonald (domhnall) 2017-09-04 01:52:18 UTC

@maintainer(s), 16.02-r1 is already in tree. call for stable if needed. Note the discussion in $url, patch may be unofficial.

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan

Comment 2 Matthew Thode ( prometheanfire ) archtester

2018-05-09 04:07:10 UTC

p7zip-16.02-r3 fixes it, I'd like to stablize whatever includes CVE-2018-10115 though

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2019-08-10 17:20:35 UTC

not sure how this got missed...