Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is p7zip affected by remote code execution security vulnerabilities of "normal" 7zip? #224

Open
therealmarv opened this issue Aug 29, 2023 · 2 comments
Open

Is p7zip affected by remote code execution security vulnerabilities of "normal" 7zip? #224

therealmarv opened this issue Aug 29, 2023 · 2 comments

Comments

@therealmarv
Copy link

therealmarv commented Aug 29, 2023
edited
Loading

Seems 7zip 22.01 from Igor Pavlov was affected by these two new found security bugs:

It seems those issues allow remote code execution by opening files !!!

7zip has released new versions (23.01) which apparently fixes those issues.

Unfortunately p7zip is the default on many Linux distros out there.

Any statements about those two security issues?
@tansy
Copy link
Contributor

tansy commented Sep 14, 2023
edited
Loading

Any statements about those two security issues?

Yes. You can go to sf.net/p/sevenzip, download and compare versions 22.01 and 23.01, get what it does to solve the issue, incorporate it to 17.05, request a pull and get an award for being security hero.

Ed. Here is diff between v22.01 and v23.01.
It's where this vulnerability (squashfs) is fixed. you're welcome to incoreporate it to v17.05.

@tansy
Copy link
Contributor

tansy commented Oct 17, 2023

What's interesting, Pavlov says that

p7zip 16.02 is not affected by CVE-2023-31102

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@therealmarv @tansy