Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 946399

Summary: app-arch/p7zip: Add upstream patch for lz4 integer overflow (CVE-2021-3520)
Product: Gentoo Security Reporter: gen2dev
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ajak, prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=791952
https://github.com/p7zip-project/p7zip/pull/239
Whiteboard: A3 [ebuild]
Package list:
Runtime testing required: ---

Description gen2dev 2024-12-14 06:25:44 UTC 
app-arch/p7zip-17.* has a bundled version of lz4 which is affected by CVE-2021-3520 (Memory corruption due to integer overflow). Upstream recently fixed it in their "p7zip17" branch. It only changes one line of code. The patch should be added to the p7zip-17.05 ebuild.

https://github.com/p7zip-project/p7zip/pull/239
https://github.com/p7zip-project/p7zip/commit/d9c3d157c62e842897d4447db717f813810e1423

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-12-14 11:44:35 UTC 

*** This bug has been marked as a duplicate of bug 791952 ***
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-12-14 11:45:07 UTC 
Ah, no.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2025-03-23 09:28:02 UTC 
Seems like we'll get the upstream patch with 17.06.