Bug 228239 - archivers/p7zip: Current version is vulnerable (CVE-2018-10115)
Summary: archivers/p7zip: Current version is vulnerable (CVE-2018-10115)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Carlo Strub
URL:
Keywords: needs-patch, needs-qa, security
: 252810 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-05-14 09:18 UTC by Dani I.
Modified: 2021-12-11 22:08 UTC (History)
7 users (show)

See Also:
koobs: maintainer-feedback? (ports-secteam)
i.dani: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Raphael Kubo da Costa freebsd_committer freebsd_triage 2018-05-14 10:28:53 UTC
I'm aware of the vulnerability, the problem is that upstream is half-dead/unresponsive: while 7zip itself has been patched, the p7zip project only has a huge, unreviewed user-submitted patch: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/

Given this bug doesn't affect Fedora and openSUSE, and neither Arch Linux not Debian have incorporated that patch, I'm hesitant to be the first one to do that.
Comment 3 Jochen Neumeister freebsd_committer freebsd_triage 2019-02-15 18:25:18 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 4 Raphael Kubo da Costa freebsd_committer freebsd_triage 2019-02-24 22:04:05 UTC
This slipped through the cracks while I had very little time for FreeBSD... I took a look at this today, and I think the Debian patch can be improved. I've posted a new version to the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674#15 and would like to wait for some feedback before committing a fix to the tree.
Comment 5 Jochen Neumeister freebsd_committer freebsd_triage 2020-03-14 21:18:15 UTC
can we close here?
Comment 6 Raphael Kubo da Costa freebsd_committer freebsd_triage 2021-01-23 11:07:05 UTC
Reopening, as this was brought up again in bug 252810.
Comment 7 Raphael Kubo da Costa freebsd_committer freebsd_triage 2021-01-23 11:09:30 UTC
*** Bug 252810 has been marked as a duplicate of this bug. ***
Comment 8 Jochen Neumeister freebsd_committer freebsd_triage 2021-02-13 18:17:45 UTC
(In reply to Raphael Kubo da Costa from comment #6)

You Assignee this PR. Why open the PR if they don't commit the update from the other PR?

Since it no longer requires approval from ports-secteam, I am removing us (ports-secteam) from this PR
Comment 9 Sean Farley freebsd_committer freebsd_triage 2021-02-15 02:09:01 UTC
To answer the question asked in bug 252810, it does appear that the code that exists in p7zip 18.05 fixes both CVE's based upon the author's comment.  I am fine with using code from the later version of p7zip.

If in doubt, there is also the option to upgrade the port to a newer version of p7zip.  :)  18.06 or 19.00.  I believe 20 is still in beta.
Comment 10 Raphael Kubo da Costa freebsd_committer freebsd_triage 2021-02-15 07:50:34 UTC
(In reply to Sean Farley from comment #9)
> If in doubt, there is also the option to upgrade the port to
> a newer version of p7zip.  :)  18.06 or 19.00.  I believe 20
> is still in beta.

Can you point to where these new versions are available? The latest version in SourceForge is still 16.02.
Comment 11 Sean Farley freebsd_committer freebsd_triage 2021-03-13 20:57:16 UTC
(In reply to Raphael Kubo da Costa from comment #10)
I think I had confused myself between the p7zip and 7-zip code bases with both being on Sourceforge.  https://sourceforge.net/projects/sevenzip/ has the newer source code, obviously.  The p7zip on Sourceforge is out-of-date.

However, there is a fork of p7zip on GitHub that is used by some Linux distros:  https://github.com/jinfeihan57/p7zip

Good news that a coworker shared with me, it looks like there will be an authentic 7-zip source base for Linux (and others):  https://sourceforge.net/p/sevenzip/discussion/45797/thread/cec5e63147/
Comment 12 commit-hook freebsd_committer freebsd_triage 2021-05-14 21:29:20 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a7699c7f100df85e22d2dc8b7f63822eac1a2a09

commit a7699c7f100df85e22d2dc8b7f63822eac1a2a09
Author:     Raphael Kubo da Costa <rakuco@FreeBSD.org>
AuthorDate: 2021-05-14 21:22:28 +0000
Commit:     Raphael Kubo da Costa <rakuco@FreeBSD.org>
CommitDate: 2021-05-14 21:28:39 +0000

    archivers/p7zip: Drop maintainership.

    I have not had time to properly maintain this port in ages, and do not
    think this will change in the foreseeable future.

    Someone needs to push bug 228239 beyond the finishing line (there is
    some confusion about whether the patch in Debian is enough or not), and
    hopefully investigate whether a p7zip fork should be adopted, or
    persuade the 7-Zip maintainer to publish the code for their Linux
    version (see comment #11 in the PR I mentioned).

    PR:             228239

 archivers/p7zip/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-28 02:01:32 UTC
^Triage: Maintainer drop, request feedback from ports-secteam to coordinate resolution
Comment 14 commit-hook freebsd_committer freebsd_triage 2021-12-11 22:03:30 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=221e594aa403533df8459e5054a982839e5f0124

commit 221e594aa403533df8459e5054a982839e5f0124
Author:     Carlo Strub <cs@FreeBSD.org>
AuthorDate: 2021-12-11 21:58:59 +0000
Commit:     Carlo Strub <cs@FreeBSD.org>
CommitDate: 2021-12-11 21:58:59 +0000

    security/vuxml: p7zip CVE-2018-10115

    PR:             228239
    Reported by:    Dani <i.dani@outlook.com>
    Security:       CVE-2018-10115

 security/vuxml/vuln-2021.xml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)