Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645500 (CVE-2017-17969, CVE-2018-5996) - <app-arch/p7zip-16.02-r2: Memory corruption in ZIP and RAR unpacker
Summary: <app-arch/p7zip-16.02-r2: Memory corruption in ZIP and RAR unpacker
Status: RESOLVED FIXED
Alias: CVE-2017-17969, CVE-2018-5996
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://landave.io/2018/01/7-zip-mult...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-23 19:01 UTC by Hanno Böck
Modified: 2018-07-03 02:26 UTC (History)
1 user (show)

See Also:
Package list:
=app-arch/p7zip-16.02-r2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-01-23 19:01:43 UTC 
See
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/

This has been fixed in 7-zip 18.00, but p7zip hasn't been updated yet. If it doesn't get updated we may need to backport fixes.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-06 18:26:53 UTC 
(In reply to Hanno Boeck from comment #0)
> See
> https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/
> 
> This has been fixed in 7-zip 18.00, but p7zip hasn't been updated yet. If it
> doesn't get updated we may need to backport fixes.

Thanks Hanno,

@Maintainer please advice best way to proceed.
Comment 2 Larry the Git Cow gentoo-dev 2018-02-07 19:41:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b684427f2fbb85f3f5f895f7794b81d6f83a4bea

commit b684427f2fbb85f3f5f895f7794b81d6f83a4bea
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2018-02-07 19:40:40 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2018-02-07 19:41:01 +0000

    app-arch/p7zip: for CVE-2017-17969, CVE-2018-5996
    
    Bug: https://bugs.gentoo.org/645500
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 app-arch/p7zip/files/CVE-2017-17969.patch |  26 ++++
 app-arch/p7zip/files/CVE-2018-5996.patch  | 221 ++++++++++++++++++++++++++++++
 app-arch/p7zip/p7zip-16.02-r2.ebuild      | 163 ++++++++++++++++++++++
 3 files changed, 410 insertions(+)}
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2018-02-07 19:46:01 UTC 
Ya, ready for fast stable now for '=app-arch/p7zip-16.02-r2 alpha amd64 hppa ia64 ppc ppc64 sparc x86'

Let me know if I'm good to add it to the package list and cc arches.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2018-02-07 20:01:37 UTC 
not adding sparc as sparc is not for stable now?
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-08 21:52:02 UTC 
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-09 07:35:17 UTC 
hppa stable
Comment 7 Agostino Sarubbo gentoo-dev 2018-02-09 08:40:03 UTC 
amd64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-10 00:33:53 UTC 
x86 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-04 17:44:31 UTC 
Stable on alpha.
Comment 10 Matt Turner gentoo-dev 2018-03-12 01:05:24 UTC 
ppc/ppc64 done. all arches done
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2018-06-11 15:37:39 UTC 
@maintainer, please drop vulnerable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-06-11 15:38:00 UTC 
Adding sparc for a chance to stable
Comment 13 Larry the Git Cow gentoo-dev 2018-06-18 18:31:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edbb0d92c07600a6202c7f6d1e434cdcc185ec38

commit edbb0d92c07600a6202c7f6d1e434cdcc185ec38
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-06-18 16:30:14 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-18 18:30:55 +0000

    app-arch/p7zip: stable 16.02-r2 for sparc
    
    Bug: https://bugs.gentoo.org/645500
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 app-arch/p7zip/p7zip-16.02-r2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 Michael Boyle 2018-07-03 02:05:37 UTC 
@maintianer(s), please drop vulnerable.

Michael Boyle
Gentoo Security Padawan