#7048: p7zip_15.09
-------------------------+-------------------------
Reporter: fo | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: high | Milestone: 7.9
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-------------------------
Security update, because I'm including a patch for CVE-2015-1038, similar
to the one used ib Debian for the version in the book.
[http://downloads.sourceforge.net/project/p7zip/p7zip/15.09/p7zip_15.09_src_all.tar.bz2]
== Securit y==
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038]
[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660]
== Changes and discussion ==
[http://sourceforge.net/p/p7zip/discussion/383043/thread/53f8df4f/]
{{{
15.09 source released!
Created: 5 days ago
Updated: 2 days ago
my p7zip
my p7zip
5 days ago
p7zip 15.09 beta was released.
What's new after p7zip 9.38.1 :
• 7-Zip now can extract ext2 and multivolume VMDK images.
• 7-Zip now can extract ext3 and ext4 (Linux file system) images.
• support of cygwin 64 bits
• support of cygwin 64 bits with asm
• cygwin : fix in GetRamSize()
• cross building added :
◦ makefile.linux_cross_aarch64
◦ makefile.linux_cross_arm
◦ makefile.linux_cross_ppc
◦ makefile.linux_cross_ppc64
◦ makefile.linux_cross_ppc64le
◦ makefile.linux_cross_s390x (7za and 7zr pass tests, 7z does not
pass tests)
• 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI
images.
• 7-Zip now can extract solid WIM archives with LZMS compression.
• 7-Zip now can extract RAR5 archives.
• 7-Zip now doesn't sort files by type while adding to solid 7z
archive.
• new -mqs switch to sort files by type while adding to solid 7z
archive.
• 7-Zip now can create 7z, xz and zip archives with 1536 MB
dictionary for LZMA/LZMA2.
• 7-Zip now can extract .zipx (WinZip) archives that use xz
compression.
Last edit: my p7zip 5 days ago
İsmail Dönmez
İsmail Dönmez
3 days ago
Great news! But I see that security patch for CVE-2015-1038 is still
not included. Any chance of fixing that?
my p7zip
my p7zip
3 days ago
I don't know what to do to solve CVE-2015-1038.
Please provide real examples and tell me what the program should do.
What do unzip, tar, .... in that case ?
İsmail Dönmez
İsmail Dönmez
2 days ago
This is all documented in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 the essence
of the issue is, run the following commands:
ln -s /tmp dir
7z a test.7z dir
rm dir
mkdir dir
echo hello > dir/file
7z a test.7z dir/file
rm -r dir
and if you extract that test.7z you got a file /tmp/file , which is
symlink traversing vulnerability. Attached is the patch from Debian
which seems to fix the issue (I rebased the patch against p7zip
15.09).
Attachments
p7zip-CVE-2015-1038.patch
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/7048>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
