A memory corruption potentially allowing code execution has been found in 7-zip: https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/ Unfortunately it seems p7zip is no longer updated. The vuln is in the rar code, so it only affects p7zip with USE="rar".
noticed a missing 2016 cve patch (which I've added to r3) checked a couple other distros (fedora and arch for now) and didn't see a patch for this latest one.
(In reply to Matthew Thode ( prometheanfire ) from comment #1) > noticed a missing 2016 cve patch (which I've added to r3) > from bug 620008 ?
yes
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b160b9fd86e68ee72f39ce96db2e0c7de72e5f7 commit 2b160b9fd86e68ee72f39ce96db2e0c7de72e5f7 Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2018-06-28 19:06:34 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2018-06-28 19:07:04 +0000 app-arch/p7zip: add fix for CVE-2018-10115 Bug: https://bugs.gentoo.org/655270 Package-Manager: Portage-2.3.40, Repoman-2.3.9 app-arch/p7zip/files/CVE-2018-10115.patch | 311 ++++++++++++++++++++++++++++++ app-arch/p7zip/p7zip-16.02-r4.ebuild | 165 ++++++++++++++++ 2 files changed, 476 insertions(+)
Arches, please stable '=app-arch/p7zip-16.02-r3' for the CVE.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c954aec09cfb1b6d77c269c4a4cc94529915e4c commit 1c954aec09cfb1b6d77c269c4a4cc94529915e4c Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-29 06:50:36 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-29 06:51:40 +0000 app-arch/p7zip: stable 16.02-r3 for ia64, bug #655270 Bug: https://bugs.gentoo.org/655270 Package-Manager: Portage-2.3.41, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" app-arch/p7zip/p7zip-16.02-r3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ugh, it was r4, not r3 updated
commit 2c5907a3804ce99cf2fb927d21704f412eb32948 Author: Jeroen Roovers <jer@gentoo.org> Date: Fri Jun 29 12:14:51 2018 +0200 app-arch/p7zip: Stable for HPPA too.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f225e5fc91c55cc177eae2d756f051f5de5ecdce commit f225e5fc91c55cc177eae2d756f051f5de5ecdce Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-30 13:01:41 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-30 14:44:58 +0000 app-arch/p7zip: stable 16.02-r4 for ia64, bug #655270 Bug: https://bugs.gentoo.org/655270 Package-Manager: Portage-2.3.41, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" app-arch/p7zip/p7zip-16.02-r4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef5d31d5370768c259344d338b32611d5325f3cb commit ef5d31d5370768c259344d338b32611d5325f3cb Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-30 18:03:35 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-30 19:02:58 +0000 app-arch/p7zip: stable 16.02-r4 for ppc64, bug #655270 Bug: https://bugs.gentoo.org/655270 Package-Manager: Portage-2.3.41, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" app-arch/p7zip/p7zip-16.02-r4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3858c664e6e8d5cfb35e9d7e920c29af12f83a26 commit 3858c664e6e8d5cfb35e9d7e920c29af12f83a26 Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2018-07-03 02:08:40 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2018-07-03 02:08:56 +0000 app-arch/p7zip: remove old Bug: https://bugs.gentoo.org/655270 Package-Manager: Portage-2.3.40, Repoman-2.3.9 app-arch/p7zip/p7zip-16.02-r1.ebuild | 159 --------------------------------- app-arch/p7zip/p7zip-16.02-r2.ebuild | 163 ---------------------------------- app-arch/p7zip/p7zip-16.02-r3.ebuild | 164 ----------------------------------- 3 files changed, 486 deletions(-)
AMD64 was not stablized for r4, so I removed early, I can either readd or amd64 can hurry up
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0695cf40aac27e797742c96270d81044cdf418cc commit 0695cf40aac27e797742c96270d81044cdf418cc Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-07-03 03:11:35 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-07-03 03:11:35 +0000 app-arch/p7zip: amd64 stable Bug: https://bugs.gentoo.org/655270 Package-Manager: Portage-2.3.41, Repoman-2.3.9 app-arch/p7zip/p7zip-16.02-r4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
commit f827dfb0e8b2ccf9a95aa4760f8a47f64e6389a1 Author: Matthew Thode <prometheanfire@gentoo.org> Date: Tue Jul 3 10:07:54 2018 -0500 app-arch/p7zip: fix stables
*** Bug 832040 has been marked as a duplicate of this bug. ***