Bug 273417

Summary: [patch] archivers/7-zip: Update to 23.00 or 23.01 (Security)
Product: Ports & Packages Reporter: Fabian Wenk <fabian>
Component: Individual Port(s)Assignee: Max Brazhnikov <makc>
Status: Closed FIXED    
Severity: Affects Many People CC: diizzy, fabian, sm
Priority: --- Keywords: patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (makc)
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch 7-zip port from 22.01 to 23.01 none

Description Fabian Wenk 2023-08-29 09:07:37 UTC 
According to the German news Heise.de [1] versions below 23.00 contain a very critical vulnerability. Unfortunately in the release notes for 7-zip 23.00 it was not mention. Heise does refer to "7-Zip SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability" [2].

 [1] https://www.heise.de/news/Jetzt-updaten-Hochriskante-Sicherheitsluecken-in-7-Zip-ermoeglichen-Codeschmuggel-9287669.html
 [2] https://www.zerodayinitiative.com/advisories/ZDI-23-1164/
Comment 1 Stephan Muhs 2023-08-29 19:20:14 UTC 
Seconded, the issue affects all users of 7zip.
Comment 2 Fabian Wenk 2023-08-30 11:49:11 UTC 
Created attachment 244467 [details]
Patch 7-zip port from 22.01 to 23.01

Adjusted Makefile and distinfo for 23.01, plus also files/patch-CPP_7zip_7zip__gcc.mak as it did not apply any more.

I did build and run it on FreeBSD 12.4/amd64, but not on anything other.
Comment 3 Stephan Muhs 2023-08-30 19:42:19 UTC 
Patch applied and 7zip 23.01 builds fine on both 12.4 and 13.2 for me (amd64). Basic functionality works for me, no time yet to test in any depth.
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-08-31 09:39:52 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=afb01763bb13cf2636e25932dbdfa2d2c228042d

commit afb01763bb13cf2636e25932dbdfa2d2c228042d
Author:     Max Brazhnikov <makc@FreeBSD.org>
AuthorDate: 2023-08-31 09:38:03 +0000
Commit:     Max Brazhnikov <makc@FreeBSD.org>
CommitDate: 2023-08-31 09:39:00 +0000

    archivers/7-zip: update to 23.01

    PR:             273417
    Submitted by:   Fabian Wenk

 archivers/7-zip/Makefile                           |  2 +-
 archivers/7-zip/distinfo                           |  6 +++---
 archivers/7-zip/files/patch-CPP_7zip_7zip__gcc.mak | 12 +++++++-----
 3 files changed, 11 insertions(+), 9 deletions(-)
Comment 5 Max Brazhnikov freebsd_committer freebsd_triage 2023-08-31 09:43:06 UTC 
Thank you for patch and testing!
Comment 6 Daniel Engberg freebsd_committer freebsd_triage 2023-09-01 18:00:29 UTC 
Not sure if there's interest but there's a meson build around that might be worth looking into for collaboration as it would probably reduce the amount of patches and be easier to maintain.

https://github.com/atomlong/7-zip/blob/master/meson.build

This is what Arch Linux uses in their repo fwiw.