Bug 228239 - archivers/p7zip: Current version is vulnerable (CVE-2018-10115)
Summary: archivers/p7zip: Current version is vulnerable (CVE-2018-10115)
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Raphael Kubo da Costa
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-14 09:18 UTC by Dani
Modified: 2019-02-24 22:04 UTC (History)
4 users (show)

See Also:
rakuco: maintainer-feedback+
i.dani: maintainer-feedback? (ports-secteam)
i.dani: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Raphael Kubo da Costa freebsd_committer 2018-05-14 10:28:53 UTC 
I'm aware of the vulnerability, the problem is that upstream is half-dead/unresponsive: while 7zip itself has been patched, the p7zip project only has a huge, unreviewed user-submitted patch: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/

Given this bug doesn't affect Fedora and openSUSE, and neither Arch Linux not Debian have incorporated that patch, I'm hesitant to be the first one to do that.
Comment 3 Jochen Neumeister freebsd_committer 2019-02-15 18:25:18 UTC 
what is the current status?
Does ports-secteam have to be active here?
Comment 4 Raphael Kubo da Costa freebsd_committer 2019-02-24 22:04:05 UTC 
This slipped through the cracks while I had very little time for FreeBSD... I took a look at this today, and I think the Debian patch can be improved. I've posted a new version to the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674#15 and would like to wait for some feedback before committing a fix to the tree.