#7048: p7zip 15.14.1
-------------------------+--------------------------
Reporter: fo | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: normal | Milestone: 7.10
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+--------------------------
Changes (by Krejzi):
* priority: low => normal
* milestone: hold => 7.10
Old description:
> Security update, because I'm including a patch for CVE-2015-1038, similar
> to the one used ib Debian for the version in the book.
>
> [http://downloads.sourceforge.net/project/p7zip/p7zip/15.09/p7zip_15.09_src_all.tar.bz2]
>
> == Security ==
>
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038]
>
> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660]
>
> == Changes and discussion ==
>
> [http://sourceforge.net/p/p7zip/discussion/383043/thread/53f8df4f/]
>
> {{{
> 15.09 source released!
>
> Created: 5 days ago
> Updated: 2 days ago
>
> my p7zip
> my p7zip
> 5 days ago
>
> p7zip 15.09 beta was released.
>
> What's new after p7zip 9.38.1 :
>
> • 7-Zip now can extract ext2 and multivolume VMDK images.
> • 7-Zip now can extract ext3 and ext4 (Linux file system) images.
> • support of cygwin 64 bits
> • support of cygwin 64 bits with asm
> • cygwin : fix in GetRamSize()
> • cross building added :
> ◦ makefile.linux_cross_aarch64
> ◦ makefile.linux_cross_arm
> ◦ makefile.linux_cross_ppc
> ◦ makefile.linux_cross_ppc64
> ◦ makefile.linux_cross_ppc64le
> ◦ makefile.linux_cross_s390x (7za and 7zr pass tests, 7z does not
> pass tests)
>
> • 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI
> images.
> • 7-Zip now can extract solid WIM archives with LZMS compression.
> • 7-Zip now can extract RAR5 archives.
> • 7-Zip now doesn't sort files by type while adding to solid 7z
> archive.
> • new -mqs switch to sort files by type while adding to solid 7z
> archive.
> • 7-Zip now can create 7z, xz and zip archives with 1536 MB
> dictionary for LZMA/LZMA2.
> • 7-Zip now can extract .zipx (WinZip) archives that use xz
> compression.
>
> Last edit: my p7zip 5 days ago
>
> İsmail Dönmez
> İsmail Dönmez
> 3 days ago
>
> Great news! But I see that security patch for CVE-2015-1038 is still
> not included. Any chance of fixing that?
>
> my p7zip
> my p7zip
> 3 days ago
>
> I don't know what to do to solve CVE-2015-1038.
>
> Please provide real examples and tell me what the program should do.
>
> What do unzip, tar, .... in that case ?
>
> İsmail Dönmez
> İsmail Dönmez
> 2 days ago
>
> This is all documented in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 the essence
> of the issue is, run the following commands:
>
> ln -s /tmp dir
> 7z a test.7z dir
> rm dir
> mkdir dir
> echo hello > dir/file
> 7z a test.7z dir/file
> rm -r dir
>
> and if you extract that test.7z you got a file /tmp/file , which is
> symlink traversing vulnerability. Attached is the patch from Debian
> which seems to fix the issue (I rebased the patch against p7zip
> 15.09).
>
> Attachments
> p7zip-CVE-2015-1038.patch
> }}}
New description:
https://downloads.sourceforge.net/p7zip/p7zip_15.14.1_src_all.tar.bz2
--
Comment:
15.14.1 is out
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/7048#comment:4>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
