The current version 16.02_1 has a critical vulnerability. https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10115
I'm aware of the vulnerability, the problem is that upstream is half-dead/unresponsive: while 7zip itself has been patched, the p7zip project only has a huge, unreviewed user-submitted patch: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/ Given this bug doesn't affect Fedora and openSUSE, and neither Arch Linux not Debian have incorporated that patch, I'm hesitant to be the first one to do that.
https://sources.debian.org/src/p7zip-rar/16.02-3/debian/patches/CVE-2018-10115.patch/ Debian has a patch
what is the current status? Does ports-secteam have to be active here?
This slipped through the cracks while I had very little time for FreeBSD... I took a look at this today, and I think the Debian patch can be improved. I've posted a new version to the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674#15 and would like to wait for some feedback before committing a fix to the tree.
can we close here?
Reopening, as this was brought up again in bug 252810.
*** Bug 252810 has been marked as a duplicate of this bug. ***
(In reply to Raphael Kubo da Costa from comment #6) You Assignee this PR. Why open the PR if they don't commit the update from the other PR? Since it no longer requires approval from ports-secteam, I am removing us (ports-secteam) from this PR
To answer the question asked in bug 252810, it does appear that the code that exists in p7zip 18.05 fixes both CVE's based upon the author's comment. I am fine with using code from the later version of p7zip. If in doubt, there is also the option to upgrade the port to a newer version of p7zip. :) 18.06 or 19.00. I believe 20 is still in beta.
(In reply to Sean Farley from comment #9) > If in doubt, there is also the option to upgrade the port to > a newer version of p7zip. :) 18.06 or 19.00. I believe 20 > is still in beta. Can you point to where these new versions are available? The latest version in SourceForge is still 16.02.
(In reply to Raphael Kubo da Costa from comment #10) I think I had confused myself between the p7zip and 7-zip code bases with both being on Sourceforge. https://sourceforge.net/projects/sevenzip/ has the newer source code, obviously. The p7zip on Sourceforge is out-of-date. However, there is a fork of p7zip on GitHub that is used by some Linux distros: https://github.com/jinfeihan57/p7zip Good news that a coworker shared with me, it looks like there will be an authentic 7-zip source base for Linux (and others): https://sourceforge.net/p/sevenzip/discussion/45797/thread/cec5e63147/
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a7699c7f100df85e22d2dc8b7f63822eac1a2a09 commit a7699c7f100df85e22d2dc8b7f63822eac1a2a09 Author: Raphael Kubo da Costa <rakuco@FreeBSD.org> AuthorDate: 2021-05-14 21:22:28 +0000 Commit: Raphael Kubo da Costa <rakuco@FreeBSD.org> CommitDate: 2021-05-14 21:28:39 +0000 archivers/p7zip: Drop maintainership. I have not had time to properly maintain this port in ages, and do not think this will change in the foreseeable future. Someone needs to push bug 228239 beyond the finishing line (there is some confusion about whether the patch in Debian is enough or not), and hopefully investigate whether a p7zip fork should be adopted, or persuade the 7-Zip maintainer to publish the code for their Linux version (see comment #11 in the PR I mentioned). PR: 228239 archivers/p7zip/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
^Triage: Maintainer drop, request feedback from ports-secteam to coordinate resolution