The current version 16.02_1 has a critical vulnerability.
I'm aware of the vulnerability, the problem is that upstream is half-dead/unresponsive: while 7zip itself has been patched, the p7zip project only has a huge, unreviewed user-submitted patch: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/
Given this bug doesn't affect Fedora and openSUSE, and neither Arch Linux not Debian have incorporated that patch, I'm hesitant to be the first one to do that.
Debian has a patch
what is the current status?
Does ports-secteam have to be active here?
This slipped through the cracks while I had very little time for FreeBSD... I took a look at this today, and I think the Debian patch can be improved. I've posted a new version to the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674#15 and would like to wait for some feedback before committing a fix to the tree.
can we close here?
Reopening, as this was brought up again in bug 252810.
*** Bug 252810 has been marked as a duplicate of this bug. ***
(In reply to Raphael Kubo da Costa from comment #6)
You Assignee this PR. Why open the PR if they don't commit the update from the other PR?
Since it no longer requires approval from ports-secteam, I am removing us (ports-secteam) from this PR
To answer the question asked in bug 252810, it does appear that the code that exists in p7zip 18.05 fixes both CVE's based upon the author's comment. I am fine with using code from the later version of p7zip.
If in doubt, there is also the option to upgrade the port to a newer version of p7zip. :) 18.06 or 19.00. I believe 20 is still in beta.
(In reply to Sean Farley from comment #9)
> If in doubt, there is also the option to upgrade the port to
> a newer version of p7zip. :) 18.06 or 19.00. I believe 20
> is still in beta.
Can you point to where these new versions are available? The latest version in SourceForge is still 16.02.