#7048: p7zip_15.09
-------------------------+--------------------------
Reporter: fo | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: high | Milestone: 7.9
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+--------------------------
Description changed by fo:
Old description:
> Security update, because I'm including a patch for CVE-2015-1038, similar
> to the one used ib Debian for the version in the book.
>
> [http://downloads.sourceforge.net/project/p7zip/p7zip/15.09/p7zip_15.09_src_all.tar.bz2]
>
> == Securit y==
>
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038]
>
> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660]
>
> == Changes and discussion ==
>
> [http://sourceforge.net/p/p7zip/discussion/383043/thread/53f8df4f/]
>
> {{{
> 15.09 source released!
>
> Created: 5 days ago
> Updated: 2 days ago
>
> my p7zip
> my p7zip
> 5 days ago
>
> p7zip 15.09 beta was released.
>
> What's new after p7zip 9.38.1 :
>
> • 7-Zip now can extract ext2 and multivolume VMDK images.
> • 7-Zip now can extract ext3 and ext4 (Linux file system) images.
> • support of cygwin 64 bits
> • support of cygwin 64 bits with asm
> • cygwin : fix in GetRamSize()
> • cross building added :
> ◦ makefile.linux_cross_aarch64
> ◦ makefile.linux_cross_arm
> ◦ makefile.linux_cross_ppc
> ◦ makefile.linux_cross_ppc64
> ◦ makefile.linux_cross_ppc64le
> ◦ makefile.linux_cross_s390x (7za and 7zr pass tests, 7z does not
> pass tests)
>
> • 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI
> images.
> • 7-Zip now can extract solid WIM archives with LZMS compression.
> • 7-Zip now can extract RAR5 archives.
> • 7-Zip now doesn't sort files by type while adding to solid 7z
> archive.
> • new -mqs switch to sort files by type while adding to solid 7z
> archive.
> • 7-Zip now can create 7z, xz and zip archives with 1536 MB
> dictionary for LZMA/LZMA2.
> • 7-Zip now can extract .zipx (WinZip) archives that use xz
> compression.
>
> Last edit: my p7zip 5 days ago
>
> İsmail Dönmez
> İsmail Dönmez
> 3 days ago
>
> Great news! But I see that security patch for CVE-2015-1038 is still
> not included. Any chance of fixing that?
>
> my p7zip
> my p7zip
> 3 days ago
>
> I don't know what to do to solve CVE-2015-1038.
>
> Please provide real examples and tell me what the program should do.
>
> What do unzip, tar, .... in that case ?
>
> İsmail Dönmez
> İsmail Dönmez
> 2 days ago
>
> This is all documented in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 the essence
> of the issue is, run the following commands:
>
> ln -s /tmp dir
> 7z a test.7z dir
> rm dir
> mkdir dir
> echo hello > dir/file
> 7z a test.7z dir/file
> rm -r dir
>
> and if you extract that test.7z you got a file /tmp/file , which is
> symlink traversing vulnerability. Attached is the patch from Debian
> which seems to fix the issue (I rebased the patch against p7zip
> 15.09).
>
> Attachments
> p7zip-CVE-2015-1038.patch
> }}}
New description:
Security update, because I'm including a patch for CVE-2015-1038, similar
to the one used ib Debian for the version in the book.
[http://downloads.sourceforge.net/project/p7zip/p7zip/15.09/p7zip_15.09_src_all.tar.bz2]
== Security ==
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038]
[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660]
== Changes and discussion ==
[http://sourceforge.net/p/p7zip/discussion/383043/thread/53f8df4f/]
{{{
15.09 source released!
Created: 5 days ago
Updated: 2 days ago
my p7zip
my p7zip
5 days ago
p7zip 15.09 beta was released.
What's new after p7zip 9.38.1 :
• 7-Zip now can extract ext2 and multivolume VMDK images.
• 7-Zip now can extract ext3 and ext4 (Linux file system) images.
• support of cygwin 64 bits
• support of cygwin 64 bits with asm
• cygwin : fix in GetRamSize()
• cross building added :
◦ makefile.linux_cross_aarch64
◦ makefile.linux_cross_arm
◦ makefile.linux_cross_ppc
◦ makefile.linux_cross_ppc64
◦ makefile.linux_cross_ppc64le
◦ makefile.linux_cross_s390x (7za and 7zr pass tests, 7z does not
pass tests)
• 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI
images.
• 7-Zip now can extract solid WIM archives with LZMS compression.
• 7-Zip now can extract RAR5 archives.
• 7-Zip now doesn't sort files by type while adding to solid 7z
archive.
• new -mqs switch to sort files by type while adding to solid 7z
archive.
• 7-Zip now can create 7z, xz and zip archives with 1536 MB
dictionary for LZMA/LZMA2.
• 7-Zip now can extract .zipx (WinZip) archives that use xz
compression.
Last edit: my p7zip 5 days ago
İsmail Dönmez
İsmail Dönmez
3 days ago
Great news! But I see that security patch for CVE-2015-1038 is still
not included. Any chance of fixing that?
my p7zip
my p7zip
3 days ago
I don't know what to do to solve CVE-2015-1038.
Please provide real examples and tell me what the program should do.
What do unzip, tar, .... in that case ?
İsmail Dönmez
İsmail Dönmez
2 days ago
This is all documented in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 the essence
of the issue is, run the following commands:
ln -s /tmp dir
7z a test.7z dir
rm dir
mkdir dir
echo hello > dir/file
7z a test.7z dir/file
rm -r dir
and if you extract that test.7z you got a file /tmp/file , which is
symlink traversing vulnerability. Attached is the patch from Debian
which seems to fix the issue (I rebased the patch against p7zip
15.09).
Attachments
p7zip-CVE-2015-1038.patch
}}}
--
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/7048#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
