According to the German news Heise.de [1] versions below 23.00 contain a very critical vulnerability. Unfortunately in the release notes for 7-zip 23.00 it was not mention. Heise does refer to "7-Zip SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability" [2]. [1] https://www.heise.de/news/Jetzt-updaten-Hochriskante-Sicherheitsluecken-in-7-Zip-ermoeglichen-Codeschmuggel-9287669.html [2] https://www.zerodayinitiative.com/advisories/ZDI-23-1164/
Seconded, the issue affects all users of 7zip.
Created attachment 244467 [details] Patch 7-zip port from 22.01 to 23.01 Adjusted Makefile and distinfo for 23.01, plus also files/patch-CPP_7zip_7zip__gcc.mak as it did not apply any more. I did build and run it on FreeBSD 12.4/amd64, but not on anything other.
Patch applied and 7zip 23.01 builds fine on both 12.4 and 13.2 for me (amd64). Basic functionality works for me, no time yet to test in any depth.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=afb01763bb13cf2636e25932dbdfa2d2c228042d commit afb01763bb13cf2636e25932dbdfa2d2c228042d Author: Max Brazhnikov <makc@FreeBSD.org> AuthorDate: 2023-08-31 09:38:03 +0000 Commit: Max Brazhnikov <makc@FreeBSD.org> CommitDate: 2023-08-31 09:39:00 +0000 archivers/7-zip: update to 23.01 PR: 273417 Submitted by: Fabian Wenk archivers/7-zip/Makefile | 2 +- archivers/7-zip/distinfo | 6 +++--- archivers/7-zip/files/patch-CPP_7zip_7zip__gcc.mak | 12 +++++++----- 3 files changed, 11 insertions(+), 9 deletions(-)
Thank you for patch and testing!
Not sure if there's interest but there's a meson build around that might be worth looking into for collaboration as it would probably reduce the amount of patches and be easier to maintain. https://github.com/atomlong/7-zip/blob/master/meson.build This is what Arch Linux uses in their repo fwiw.