944462 – app-arch/p7zip: vulnerability in zstandard implementation?

Bug 944462 - app-arch/p7zip: vulnerability in zstandard implementation?

Summary: app-arch/p7zip: vulnerability in zstandard implementation?

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://vuldb.com/?id.285655
Whiteboard:	?? [upstream]
Keywords:

Depends on:
Blocks:	CVE-2024-11477
	Show dependency tree

Reported:	2024-11-22 11:49 UTC by Sergey 'L29Ah' Alirzaev
Modified:	2024-11-30 15:54 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/p7zip-project/p7zip/issues/240
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergey 'L29Ah' Alirzaev 2024-11-22 11:49:11 UTC

https://vuldb.com/?id.285655 suggests the versions present in Gentoo might be vulnerable. Are they?

Comment 1 Hans de Graaff gentoo-dev

2024-11-24 08:25:42 UTC

(In reply to Sergey 'L29Ah' Alirzaev from comment #0)
> https://vuldb.com/?id.285655 suggests the versions present in Gentoo might
> be vulnerable. Are they?

I'm not sure how you come to this conclusion? That CVE is for 7-zip, which is not the same package as app-arch/p7zip. It is possible that the same issue is also present in p7zip but I don't see any mention in the CVE that this may or may not be the case.

Ah, and I see you've asked for verification with p7zip upstream. I've linked that github issue as well. Given the upstream activity I'm not sure a quick answer will be forthcoming, but let's give it a bit of time.