228239 – archivers/p7zip: Current version is vulnerable (CVE-2018-10115)

Bug 228239 - archivers/p7zip: Current version is vulnerable (CVE-2018-10115)

Summary: archivers/p7zip: Current version is vulnerable (CVE-2018-10115)

Status:	In Progress

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Raphael Kubo da Costa

URL:
Keywords:

Duplicates (1):	252810 (view as bug list)
Depends on:
Blocks:

Reported:	2018-05-14 09:18 UTC by Dani
Modified:	2021-02-15 07:50 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	rakuco: maintainer-feedback+ i.dani: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dani 2018-05-14 09:18:05 UTC

The current version 16.02_1 has a critical vulnerability.

https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10115

Comment 1 Raphael Kubo da Costa freebsd_committer

2018-05-14 10:28:53 UTC

I'm aware of the vulnerability, the problem is that upstream is half-dead/unresponsive: while 7zip itself has been patched, the p7zip project only has a huge, unreviewed user-submitted patch: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/

Given this bug doesn't affect Fedora and openSUSE, and neither Arch Linux not Debian have incorporated that patch, I'm hesitant to be the first one to do that.

Comment 2 Nathan 2018-09-10 04:44:35 UTC

https://sources.debian.org/src/p7zip-rar/16.02-3/debian/patches/CVE-2018-10115.patch/ 

Debian has a patch

Comment 3 Jochen Neumeister freebsd_committer

2019-02-15 18:25:18 UTC

what is the current status?
Does ports-secteam have to be active here?

Comment 4 Raphael Kubo da Costa freebsd_committer

2019-02-24 22:04:05 UTC

This slipped through the cracks while I had very little time for FreeBSD... I took a look at this today, and I think the Debian patch can be improved. I've posted a new version to the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674#15 and would like to wait for some feedback before committing a fix to the tree.

Comment 5 Jochen Neumeister freebsd_committer

2020-03-14 21:18:15 UTC

can we close here?

Comment 6 Raphael Kubo da Costa freebsd_committer

2021-01-23 11:07:05 UTC

Reopening, as this was brought up again in bug 252810.

Comment 7 Raphael Kubo da Costa freebsd_committer

2021-01-23 11:09:30 UTC

*** Bug 252810 has been marked as a duplicate of this bug. ***

Comment 8 Jochen Neumeister freebsd_committer

2021-02-13 18:17:45 UTC

(In reply to Raphael Kubo da Costa from comment #6)

You Assignee this PR. Why open the PR if they don't commit the update from the other PR?

Since it no longer requires approval from ports-secteam, I am removing us (ports-secteam) from this PR

Comment 9 Sean Farley freebsd_committer

2021-02-15 02:09:01 UTC

To answer the question asked in bug 252810, it does appear that the code that exists in p7zip 18.05 fixes both CVE's based upon the author's comment.  I am fine with using code from the later version of p7zip.

If in doubt, there is also the option to upgrade the port to a newer version of p7zip.  :)  18.06 or 19.00.  I believe 20 is still in beta.

Comment 10 Raphael Kubo da Costa freebsd_committer

2021-02-15 07:50:34 UTC

(In reply to Sean Farley from comment #9)
> If in doubt, there is also the option to upgrade the port to
> a newer version of p7zip.  :)  18.06 or 19.00.  I believe 20
> is still in beta.

Can you point to where these new versions are available? The latest version in SourceForge is still 16.02.