Bug#888297: marked as done (p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow)

Debian Bug Tracking System Sun, 28 Jan 2018 15:09:26 -0800

Your message dated Sun, 28 Jan 2018 23:05:22 +0000
with message-id <e1efw0o-000evm...@fasolo.debian.org>
and subject line Bug#888297: fixed in p7zip 16.02+dfsg-5
has caused the Debian Bug report #888297,
regarding p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
888297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: p7zip
Version: 16.02+dfsg-4
Severity: grave
Tags: upstream newcomer security
Justification: user security hole

Dear Maintainer,

p7zip, p7zip-full and the non-free component p7zip-rar are affected by two
vulnerabilities:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-
zip/?hn

In particular, the RAR3 and LZW algorithm implementations are susceptible to
memory corruption and may compromise a system through specially crafted
archives.

These issues have already been fixed upstream, and a new version of p7zip
(18.0) is available.

Please update all p7zip* packages to their latest versions as soon as possible.

Thank you.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (900, 'stable'), (500, 'unstable-debug'), (500, 
'testing-debug'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to 
en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages p7zip depends on:
ii  libc6       2.26-2
ii  libgcc1     1:7.2.0-19
ii  libstdc++6  7.2.0-19

p7zip recommends no packages.

Versions of packages p7zip suggests:
ii  p7zip-full  16.02+dfsg-4

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: p7zip
Source-Version: 16.02+dfsg-5

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Luberda <rob...@debian.org> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 Jan 2018 23:32:37 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source amd64
Version: 16.02+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <rob...@debian.org>
Changed-By: Robert Luberda <rob...@debian.org>
Description:
 p7zip      - 7zr file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Closes: 873943 888297
Changes:
 p7zip (16.02+dfsg-5) unstable; urgency=medium
 .
   * Hopefully fix ZIP Shrink: Heap Buffer Overflow (CVE-2017-17969). Thanks
     to Antoine Beaupré for the initial patch, based on upstream changes in
     7Zip 18.00.beta (closes: #888297).
   * Fix `deprecated use of operator++ on bool variable' g++ warning.
   * Fix a typo in man page introduced in 09-man-update.patch
     (closes: #873943).
   * Bump debhelper's compat level to 11.
   * Use 'https' URL in debian/watch (lintian).
   * Standards-Version: 4.1.3.
Checksums-Sha1:
 95f55ff57950d40b5dd190d76f83d68539383204 1928 p7zip_16.02+dfsg-5.dsc
 54ae48c522799c4d484b00866758cc14e26f6c99 21384 p7zip_16.02+dfsg-5.debian.tar.xz
 f6b0d83695d1912a268403754b0ba00aeb6306ca 2437776 
p7zip-dbgsym_16.02+dfsg-5_amd64.deb
 e13cdcf5f9b3e47f7ac1485fed529ac2774e9106 11096596 
p7zip-full-dbgsym_16.02+dfsg-5_amd64.deb
 584a16945fd49aecabce11a3998074153a8efa5d 1164032 
p7zip-full_16.02+dfsg-5_amd64.deb
 816c802a2d9d447ab2aaad720a423ad02e56e01f 6272 
p7zip_16.02+dfsg-5_amd64.buildinfo
 25f3bd34444a251e3eb37098d1daff091c7c6bd7 376188 p7zip_16.02+dfsg-5_amd64.deb
Checksums-Sha256:
 c9b63380c9d3dba46e0bdf9633c7dd45f486e21e6dae2375ff98551dd1c5e4d5 1928 
p7zip_16.02+dfsg-5.dsc
 b5a0775fa2fe2e95dd0f3264b92bfc0b67e8f264fb813a53d4f36a0709c14227 21384 
p7zip_16.02+dfsg-5.debian.tar.xz
 efe1ea1aaee735f92deb19fc00ac08e6691331f48671cd41dcc6c7a5f74fcc00 2437776 
p7zip-dbgsym_16.02+dfsg-5_amd64.deb
 7c31f90e83487d17af085b75c1dbf510738aaea38f881b742f20a4ae0b08c2c2 11096596 
p7zip-full-dbgsym_16.02+dfsg-5_amd64.deb
 04fdc03b4d5642638792622a61f4ac52de2864284f0347369af100a24be6e600 1164032 
p7zip-full_16.02+dfsg-5_amd64.deb
 a984cfa732433cc0e0b5997dcf79469b027b956f6cb80db0fdaf1245b1817a73 6272 
p7zip_16.02+dfsg-5_amd64.buildinfo
 2b8765c641aea0ff48abef0fde953f637c6a0035e747d95a2c17bc774337238f 376188 
p7zip_16.02+dfsg-5_amd64.deb
Files:
 082b80a120936171836700100fcf64e8 1928 utils optional p7zip_16.02+dfsg-5.dsc
 91b9461f6dd2820a31bcad2fdce647fe 21384 utils optional 
p7zip_16.02+dfsg-5.debian.tar.xz
 169b6e699696756121c5f9eab8b6e992 2437776 debug optional 
p7zip-dbgsym_16.02+dfsg-5_amd64.deb
 ed4e066bebaa577efa3ed8aadb456636 11096596 debug optional 
p7zip-full-dbgsym_16.02+dfsg-5_amd64.deb
 42abcf18ca689ee87b3fbf6ca96b66f1 1164032 utils optional 
p7zip-full_16.02+dfsg-5_amd64.deb
 37cd7ead67201c3c3b1a4d27d55ae035 6272 utils optional 
p7zip_16.02+dfsg-5_amd64.buildinfo
 e3b2027017c63535fd54e65a7bc5c33b 376188 utils optional 
p7zip_16.02+dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENeh2+rTTcy6TtNI3Yx3nVTvor9QFAlpuUDIACgkQYx3nVTvo
r9Tthw//XRiiHj7ZojWiqsbc9vOPacNLQ6mQI3+nv8LfCIajG4SkVnhs3YPFBQx7
FoIucxzUmJipZ2qDDkn9QxZ08VYNbWV8mYFcEpe/TjS6H0BTUV73puvnM1+JvDao
N1ycaomr5cv8U5NTr+1QxBppUDLuLjvpC3qZ06QBQIoOSRnwHBBxd3ApAGz49Yy3
7buVbK/8uBJkelEmM8nVsrZN88dXtDY9w0mOtmi0uzMtDe65UFxef89tBJQk3gyd
L2wmL9xElY3YFfATzEoEHz4/3ss/bY0UgYRzjB0zPBUOY8Q+4+g4XzYleHQofwyC
HMwEq9WOrkro59gCF0JGJ/U9s11kiYmQauP69FpqDdf3D1wQCaG5xRc2hNT26hN8
61zU1k7m8SHJOx+BXOQ16njPoJVR5lhJJldzpooEFiwKpA0gFa643sxYz7pHa6Ob
zaKzNhhMBpQUIqL+WVZSUa3TdHfk5NjywpDdSl3ISSXzRNvG24xN63sz0JKG+8PG
jmAKAW+2QiMCvmaChuMHlComSXxxQcujzwcHJROHxSJh3Jbq3OV1tjX3m12BYf4b
B3175cVgVdoiOdbBWDBiD+ujQvudp3+w7UHg+meyyTLSt+mNTz10/qBm9ggi1L8H
Tf2wcZiyO9NtAHoCMqeVucxXPYISvo6+3cl/Udf0b19Nyx1kr7I=
=esMA
-----END PGP SIGNATURE-----

--- End Message ---

Bug#888297: marked as done (p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow)

Reply via email to