The current version 16.02_1 has a critical vulnerability. https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10115
I'm aware of the vulnerability, the problem is that upstream is half-dead/unresponsive: while 7zip itself has been patched, the p7zip project only has a huge, unreviewed user-submitted patch: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/ Given this bug doesn't affect Fedora and openSUSE, and neither Arch Linux not Debian have incorporated that patch, I'm hesitant to be the first one to do that.
https://sources.debian.org/src/p7zip-rar/16.02-3/debian/patches/CVE-2018-10115.patch/ Debian has a patch
what is the current status? Does ports-secteam have to be active here?
This slipped through the cracks while I had very little time for FreeBSD... I took a look at this today, and I think the Debian patch can be improved. I've posted a new version to the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674#15 and would like to wait for some feedback before committing a fix to the tree.
can we close here?
Reopening, as this was brought up again in bug 252810.
*** Bug 252810 has been marked as a duplicate of this bug. ***
(In reply to Raphael Kubo da Costa from comment #6) You Assignee this PR. Why open the PR if they don't commit the update from the other PR? Since it no longer requires approval from ports-secteam, I am removing us (ports-secteam) from this PR
To answer the question asked in bug 252810, it does appear that the code that exists in p7zip 18.05 fixes both CVE's based upon the author's comment. I am fine with using code from the later version of p7zip. If in doubt, there is also the option to upgrade the port to a newer version of p7zip. :) 18.06 or 19.00. I believe 20 is still in beta.
(In reply to Sean Farley from comment #9) > If in doubt, there is also the option to upgrade the port to > a newer version of p7zip. :) 18.06 or 19.00. I believe 20 > is still in beta. Can you point to where these new versions are available? The latest version in SourceForge is still 16.02.