Bug 228239 - archivers/p7zip: Current version is vulnerable (CVE-2018-10115)
Summary: archivers/p7zip: Current version is vulnerable (CVE-2018-10115)
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Raphael Kubo da Costa
URL:
Keywords:
: 252810 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-05-14 09:18 UTC by Dani
Modified: 2021-02-15 07:50 UTC (History)
3 users (show)

See Also:
rakuco: maintainer-feedback+
i.dani: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Raphael Kubo da Costa freebsd_committer 2018-05-14 10:28:53 UTC
I'm aware of the vulnerability, the problem is that upstream is half-dead/unresponsive: while 7zip itself has been patched, the p7zip project only has a huge, unreviewed user-submitted patch: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/

Given this bug doesn't affect Fedora and openSUSE, and neither Arch Linux not Debian have incorporated that patch, I'm hesitant to be the first one to do that.
Comment 3 Jochen Neumeister freebsd_committer 2019-02-15 18:25:18 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 4 Raphael Kubo da Costa freebsd_committer 2019-02-24 22:04:05 UTC
This slipped through the cracks while I had very little time for FreeBSD... I took a look at this today, and I think the Debian patch can be improved. I've posted a new version to the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674#15 and would like to wait for some feedback before committing a fix to the tree.
Comment 5 Jochen Neumeister freebsd_committer 2020-03-14 21:18:15 UTC
can we close here?
Comment 6 Raphael Kubo da Costa freebsd_committer 2021-01-23 11:07:05 UTC
Reopening, as this was brought up again in bug 252810.
Comment 7 Raphael Kubo da Costa freebsd_committer 2021-01-23 11:09:30 UTC
*** Bug 252810 has been marked as a duplicate of this bug. ***
Comment 8 Jochen Neumeister freebsd_committer 2021-02-13 18:17:45 UTC
(In reply to Raphael Kubo da Costa from comment #6)

You Assignee this PR. Why open the PR if they don't commit the update from the other PR?

Since it no longer requires approval from ports-secteam, I am removing us (ports-secteam) from this PR
Comment 9 Sean Farley freebsd_committer 2021-02-15 02:09:01 UTC
To answer the question asked in bug 252810, it does appear that the code that exists in p7zip 18.05 fixes both CVE's based upon the author's comment.  I am fine with using code from the later version of p7zip.

If in doubt, there is also the option to upgrade the port to a newer version of p7zip.  :)  18.06 or 19.00.  I believe 20 is still in beta.
Comment 10 Raphael Kubo da Costa freebsd_committer 2021-02-15 07:50:34 UTC
(In reply to Sean Farley from comment #9)
> If in doubt, there is also the option to upgrade the port to
> a newer version of p7zip.  :)  18.06 or 19.00.  I believe 20
> is still in beta.

Can you point to where these new versions are available? The latest version in SourceForge is still 16.02.