Package: release.debian.org Control: affects -1 + src:7zip X-Debbugs-Cc: [email protected], [email protected], [email protected] User: [email protected] Usertags: pu Tags: bookworm X-Debbugs-Cc: [email protected] Severity: normal
Hello Release team, [ Reason ] 7zip in bookworm is affected by multiple security issues. https://security-tracker.debian.org/tracker/source-package/7zip no-dsa: CVE-2023-31102 CVE-2023-40481 CVE-2025-11001 CVE-2025-11002 CVE-2025-55188 unimportant: CVE-2024-11612 CVE-2025-53817 The 7-zip project imports new releases in Git but does not provide any history nor CVE information, making it difficult to isolate patches and apply them to older p7zip code base: https://github.com/ip7z/7zip/commits/main/ Hence we're proposing to bump the 7zip codebase to v25.01 (trixie). (v26.00 was recently released but does not ship security fixes.) [ Impact ] Users are vulnerable to several directory traversals when handling archives, both in .7z and other formats that 7zip supports, and memory corruption in a couple format handlers. 7zip is used as a backend by the 'arqiver' graphical interface, so this isn't limited to CLI. There are more such rdeps in trixie (ark, engrampa...), but in bookworm the GUI impact is limited. [ Tests ] Superficial DEP-8 tests are shipped with 7zip (including running its built-in benchmark). Manual tests were performed with various archive formats, directly and through 'arqiver'. Salsa-CI is setup: https://salsa.debian.org/debian/7zip/-/pipelines/1038002 as well as a debusine experiment: https://debusine.debian.net/debian/developers-beuc-secure7zip/work-request/489960/ [ Risks ] Discussing with jmm, "moving with full releases for 7zip seems fine given it's just an edge package and CLI". Moreover, in bookworm, the p7zip->7zip transition didn't happen yet, so 7zip has few reverse dependencies and only provides the bin/7zz executable. 7zip-rar is not introduced yet either. The 7zip codebase is quite stable, and so are the CLI options. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] We're importing the v25.01 codebase on top of the bookworm packaging. This is not a backport from trixie, as the packaging changed a lot to handle the p7zip->7zip transition, as well as assembly compilation. As the full debdiff is very noisy due to all the new upstream code, care was taken to create a step-by-step minimal import on top of v22, for review: https://salsa.debian.org/debian/7zip/-/tree/debian/bookworm - The packaging was left untouched, except for enabling salsa-ci.yml, and fixing gbp.conf to properly target oldstable. - The patches were refreshed from the trixie version, some renamed to align with trixie: - Patches for ASM support were left out; so it the one introducing codepage changes (functional change) - Obsolete bookworm patches were removed. Attached are debdiffs of debian/, with and without patches/. Full debdiff with new codebase is large (6.4MB) and was not included, however this reuses the trixie tarball identically. [ Other info ] There's a on-going effort to address p7zip security issues by upgrading p7zip to a patched 7zip, but this is a separate issue, and separate SPUs will be filled: https://lists.debian.org/debian-lts/2026/03/msg00009.html This incidentally shows the stability of the 7zip CLI, as the 7zip codebase was ported back to stretch to replace p7zip, with few issues. -- Sylvain Beucler Debian LTS Team
diff -Nru 7zip-22.01+dfsg/debian/changelog 7zip-25.01+dfsg/debian/changelog --- 7zip-22.01+dfsg/debian/changelog 2024-10-17 18:45:17.000000000 +0200 +++ 7zip-25.01+dfsg/debian/changelog 2026-03-06 07:46:31.000000000 +0100 @@ -1,3 +1,29 @@ +7zip (25.01+dfsg-0+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Bump to upstream 25.01, fixes: + - CVE-2023-31102 + - CVE-2023-40481 + - CVE-2024-11612 + - CVE-2025-11001 + - CVE-2025-11002 + - CVE-2025-53817 + - CVE-2025-55188 + * Sync patches from 25.01+dfsg-1~deb13u1: + - keep old patches: + - 000*-Remove-unwanted-hack-for-object-files.patch (no 7z.so) + - drop new patches: + - 000*-Use-c-flags-for-asmc.patch (no ASM) + - 000*-Add-fpic-for-Asmc-options.patch (no ASM) + - 000*-Use-system-locale-to-select-codepage-for-legacy-zip-.patch + (behavior change) + * No changes to packaging to avoid disruption in stable release (no + split package, no ASM support, no files in /usr/lib/7z/, etc.) + * Enable Salsa CI. + * Configure git-buildpackage for oldstable. + + -- Sylvain Beucler <[email protected]> Fri, 06 Mar 2026 07:46:31 +0100 + 7zip (22.01+dfsg-8+deb12u1) bookworm; urgency=medium * Fix CVE-2023-52168 (buffer overflow) and CVE-2023-52169 (buffer over-read) diff -Nru 7zip-22.01+dfsg/debian/gbp.conf 7zip-25.01+dfsg/debian/gbp.conf --- 7zip-22.01+dfsg/debian/gbp.conf 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/gbp.conf 2026-03-04 12:25:37.000000000 +0100 @@ -1,2 +1,5 @@ +[DEFAULT] +debian-branch = debian/bookworm + [import-orig] pristine-tar = True diff -Nru 7zip-22.01+dfsg/debian/salsa-ci.yml 7zip-25.01+dfsg/debian/salsa-ci.yml --- 7zip-22.01+dfsg/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ 7zip-25.01+dfsg/debian/salsa-ci.yml 2026-02-11 07:26:32.000000000 +0100 @@ -0,0 +1,3 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
diff -Nru 7zip-22.01+dfsg/debian/changelog 7zip-25.01+dfsg/debian/changelog --- 7zip-22.01+dfsg/debian/changelog 2024-10-17 18:45:17.000000000 +0200 +++ 7zip-25.01+dfsg/debian/changelog 2026-03-06 07:46:31.000000000 +0100 @@ -1,3 +1,29 @@ +7zip (25.01+dfsg-0+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Bump to upstream 25.01, fixes: + - CVE-2023-31102 + - CVE-2023-40481 + - CVE-2024-11612 + - CVE-2025-11001 + - CVE-2025-11002 + - CVE-2025-53817 + - CVE-2025-55188 + * Sync patches from 25.01+dfsg-1~deb13u1: + - keep old patches: + - 000*-Remove-unwanted-hack-for-object-files.patch (no 7z.so) + - drop new patches: + - 000*-Use-c-flags-for-asmc.patch (no ASM) + - 000*-Add-fpic-for-Asmc-options.patch (no ASM) + - 000*-Use-system-locale-to-select-codepage-for-legacy-zip-.patch + (behavior change) + * No changes to packaging to avoid disruption in stable release (no + split package, no ASM support, no files in /usr/lib/7z/, etc.) + * Enable Salsa CI. + * Configure git-buildpackage for oldstable. + + -- Sylvain Beucler <[email protected]> Fri, 06 Mar 2026 07:46:31 +0100 + 7zip (22.01+dfsg-8+deb12u1) bookworm; urgency=medium * Fix CVE-2023-52168 (buffer overflow) and CVE-2023-52169 (buffer over-read) diff -Nru 7zip-22.01+dfsg/debian/gbp.conf 7zip-25.01+dfsg/debian/gbp.conf --- 7zip-22.01+dfsg/debian/gbp.conf 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/gbp.conf 2026-03-04 12:25:37.000000000 +0100 @@ -1,2 +1,5 @@ +[DEFAULT] +debian-branch = debian/bookworm + [import-orig] pristine-tar = True diff -Nru 7zip-22.01+dfsg/debian/patches/0001-Accept-Debian-build-flags.patch 7zip-25.01+dfsg/debian/patches/0001-Accept-Debian-build-flags.patch --- 7zip-22.01+dfsg/debian/patches/0001-Accept-Debian-build-flags.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0001-Accept-Debian-build-flags.patch 2026-02-11 08:34:56.000000000 +0100 @@ -4,46 +4,54 @@ Forwarded: not-needed --- - CPP/7zip/7zip_gcc.mak | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) + CPP/7zip/7zip_gcc.mak | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CPP/7zip/7zip_gcc.mak b/CPP/7zip/7zip_gcc.mak -index 2a24e06..090e498 100755 +index 8fbef14..2756ba4 100644 --- a/CPP/7zip/7zip_gcc.mak +++ b/CPP/7zip/7zip_gcc.mak -@@ -82,7 +82,7 @@ endif +@@ -45,7 +45,7 @@ CFLAGS_DEBUG = -g + else + CFLAGS_DEBUG = -DNDEBUG + ifneq ($(CC), $(CROSS_COMPILE)clang) +-LFLAGS_STRIP = -s ++LFLAGS_STRIP = + endif + endif + +@@ -104,14 +104,14 @@ SHARED_EXT=.dll + LDFLAGS = -shared -DEF $(DEF_FILE) $(LDFLAGS_STATIC) + else + SHARED_EXT=.so +-LDFLAGS = -shared -fPIC $(LDFLAGS_STATIC) ++LDFLAGS = -shared -fPIC $(DEB_LDFLAGS) $(LDFLAGS_STATIC) + CC_SHARED=-fPIC + endif + else -LDFLAGS = $(LDFLAGS_STATIC) +LDFLAGS = $(DEB_LDFLAGS) $(LDFLAGS_STATIC) - # -s is not required for clang, do we need it for GGC ??? - # -s + # -z force-bti + # -s is not required for clang, do we need it for GCC ??? -@@ -138,7 +138,7 @@ endif +@@ -169,7 +169,7 @@ endif --CFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CFLAGS_BASE2) $(CFLAGS_BASE) $(CC_SHARED) -o $@ -+CFLAGS = $(DEB_CFLAGS) $(DEB_CPPFLAGS) $(MY_ARCH_2) $(LOCAL_FLAGS) $(CFLAGS_BASE2) $(CFLAGS_BASE) $(CC_SHARED) -o $@ +-CFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CFLAGS_BASE2) $(CFLAGS_BASE) $(FLAGS_FLTO) $(CC_SHARED) -o $@ ++CFLAGS = $(DEB_CFLAGS) $(DEB_CPPFLAGS) $(MY_ARCH_2) $(LOCAL_FLAGS) $(CFLAGS_BASE2) $(CFLAGS_BASE) $(FLAGS_FLTO) $(CC_SHARED) -o $@ ifdef IS_MINGW -@@ -179,7 +179,7 @@ CXX_WARN_FLAGS = +@@ -210,7 +210,7 @@ CXX_WARN_FLAGS = #-Wno-invalid-offsetof #-Wno-reorder --CXXFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CXXFLAGS_BASE2) $(CFLAGS_BASE) $(CXXFLAGS_EXTRA) $(CC_SHARED) -o $@ $(CXX_WARN_FLAGS) -+CXXFLAGS = $(DEB_CXXFLAGS) $(DEB_CPPFLAGS) $(MY_ARCH_2) $(LOCAL_FLAGS) $(CXXFLAGS_BASE2) $(CFLAGS_BASE) $(CXXFLAGS_EXTRA) $(CC_SHARED) -o $@ $(CXX_WARN_FLAGS) +-CXXFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CXXFLAGS_BASE2) $(CFLAGS_BASE) $(FLAGS_FLTO) $(CXXFLAGS_EXTRA) $(CC_SHARED) $(CXX_WARN_FLAGS) $(CXX_STD_FLAGS) $(CXX_INCLUDE_FLAGS) -o $@ ++CXXFLAGS = $(DEB_CXXFLAGS) $(DEB_CPPFLAGS) $(MY_ARCH_2) $(LOCAL_FLAGS) $(CXXFLAGS_BASE2) $(CFLAGS_BASE) $(FLAGS_FLTO) $(CXXFLAGS_EXTRA) $(CC_SHARED) $(CXX_WARN_FLAGS) $(CXX_STD_FLAGS) $(CXX_INCLUDE_FLAGS) -o $@ STATIC_TARGET= ifdef COMPL_STATIC -@@ -192,7 +192,7 @@ all: $(O) $(PROGPATH) $(STATIC_TARGET) - $(O): - $(MY_MKDIR) $(O) - --LFLAGS_ALL = -s $(MY_ARCH_2) $(LDFLAGS) $(LD_arch) $(OBJS) $(MY_LIBS) $(LIB2) -+LFLAGS_ALL = $(MY_ARCH_2) $(LDFLAGS) $(LD_arch) $(OBJS) $(MY_LIBS) $(LIB2) - $(PROGPATH): $(OBJS) - $(CXX) -o $(PROGPATH) $(LFLAGS_ALL) - diff -Nru 7zip-22.01+dfsg/debian/patches/0002-Use-GCC-10-warning-options.patch 7zip-25.01+dfsg/debian/patches/0002-Use-GCC-10-warning-options.patch --- 7zip-22.01+dfsg/debian/patches/0002-Use-GCC-10-warning-options.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0002-Use-GCC-10-warning-options.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,22 +0,0 @@ -From: YOKOTA Hiroshi <[email protected]> -Date: Tue, 31 Aug 2021 19:20:33 +0900 -Subject: Use GCC 10 warning options - -Forwarded: not-needed ---- - CPP/7zip/warn_gcc.mak | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CPP/7zip/warn_gcc.mak b/CPP/7zip/warn_gcc.mak -index afc0c9d..230d2f0 100755 ---- a/CPP/7zip/warn_gcc.mak -+++ b/CPP/7zip/warn_gcc.mak -@@ -50,7 +50,7 @@ CFLAGS_WARN_GCC_PPMD_UNALIGNED = \ - -Wno-strict-aliasing \ - - --CFLAGS_WARN = $(CFLAGS_WARN_GCC_9) \ -+CFLAGS_WARN = $(CFLAGS_WARN_GCC_10) \ - - # $(CFLAGS_WARN_GCC_PPMD_UNALIGNED) - diff -Nru 7zip-22.01+dfsg/debian/patches/0002-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch 7zip-25.01+dfsg/debian/patches/0002-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch --- 7zip-22.01+dfsg/debian/patches/0002-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch 1970-01-01 01:00:00.000000000 +0100 +++ 7zip-25.01+dfsg/debian/patches/0002-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch 2026-02-11 08:34:56.000000000 +0100 @@ -0,0 +1,39 @@ +From: YOKOTA Hiroshi <[email protected]> +Date: Wed, 15 Sep 2021 00:02:36 +0900 +Subject: Use getcwd(3) POSIX extension to avoid PATH_MAX macro + +Forwarded: https://sourceforge.net/p/sevenzip/patches/369/ + +This fix helps GNU Hurd. +--- + CPP/Windows/FileDir.cpp | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/CPP/Windows/FileDir.cpp b/CPP/Windows/FileDir.cpp +index 4a4bf52..e1747fc 100644 +--- a/CPP/Windows/FileDir.cpp ++++ b/CPP/Windows/FileDir.cpp +@@ -1141,22 +1141,11 @@ bool GetCurrentDir(FString &path) + { + path.Empty(); + +- #define MY_PATH_MAX PATH_MAX +- // #define MY_PATH_MAX 1024 +- +- char s[MY_PATH_MAX + 1]; +- char *res = getcwd(s, MY_PATH_MAX); +- if (res) +- { +- path = fas2fs(s); +- return true; +- } + { +- // if (errno != ERANGE) return false; + #if defined(__GLIBC__) || defined(__APPLE__) + /* As an extension to the POSIX.1-2001 standard, glibc's getcwd() + allocates the buffer dynamically using malloc(3) if buf is NULL. */ +- res = getcwd(NULL, 0); ++ char *res = getcwd(NULL, 0); + if (res) + { + path = fas2fs(res); diff -Nru 7zip-22.01+dfsg/debian/patches/0003-Disable-hardware-acceleration-support-on-armel.patch 7zip-25.01+dfsg/debian/patches/0003-Disable-hardware-acceleration-support-on-armel.patch --- 7zip-22.01+dfsg/debian/patches/0003-Disable-hardware-acceleration-support-on-armel.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0003-Disable-hardware-acceleration-support-on-armel.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,159 +0,0 @@ -From: YOKOTA Hiroshi <[email protected]> -Date: Tue, 14 Sep 2021 23:51:04 +0900 -Subject: Disable hardware acceleration support on armel - -Use "__ARM_ARCH" to split "armel" and "armhf" - -__ARM_ARCH: - armel = 5 - armhf = 7 ---- - C/Aes.c | 2 ++ - C/AesOpt.c | 2 ++ - C/Sha1.c | 2 ++ - C/Sha1Opt.c | 2 ++ - C/Sha256.c | 2 ++ - C/Sha256Opt.c | 2 ++ - CPP/7zip/Crypto/MyAes.cpp | 2 ++ - 7 files changed, 14 insertions(+) - -diff --git a/C/Aes.c b/C/Aes.c -index 9ad66c5..2af4298 100755 ---- a/C/Aes.c -+++ b/C/Aes.c -@@ -56,6 +56,7 @@ static Byte InvS[256]; - #ifdef MY_CPU_X86_OR_AMD64 - #define USE_HW_AES - #elif defined(MY_CPU_ARM_OR_ARM64) && defined(MY_CPU_LE) -+ #if (__ARM_ARCH >= 7) - #if defined(__clang__) - #if (__clang_major__ >= 8) // fix that check - #define USE_HW_AES -@@ -69,6 +70,7 @@ static Byte InvS[256]; - #define USE_HW_AES - #endif - #endif -+ #endif - #endif - - #ifdef USE_HW_AES -diff --git a/C/AesOpt.c b/C/AesOpt.c -index 1bdc9a8..60058bc 100755 ---- a/C/AesOpt.c -+++ b/C/AesOpt.c -@@ -508,6 +508,7 @@ VAES_COMPAT_STUB (AesCtr_Code_HW) - - #elif defined(MY_CPU_ARM_OR_ARM64) && defined(MY_CPU_LE) - -+ #if (__ARM_ARCH >= 7) - #if defined(__clang__) - #if (__clang_major__ >= 8) // fix that check - #define USE_HW_AES -@@ -521,6 +522,7 @@ VAES_COMPAT_STUB (AesCtr_Code_HW) - #define USE_HW_AES - #endif - #endif -+ #endif - - #ifdef USE_HW_AES - -diff --git a/C/Sha1.c b/C/Sha1.c -index 7adeb44..b6ee739 100755 ---- a/C/Sha1.c -+++ b/C/Sha1.c -@@ -33,6 +33,7 @@ This code is based on public domain code of Steve Reid from Wei Dai's Crypto++ l - #endif - #endif - #elif defined(MY_CPU_ARM_OR_ARM64) -+ #if (__ARM_ARCH >= 7) - #ifdef _MSC_VER - #if _MSC_VER >= 1910 && _MSC_VER >= 1929 && _MSC_FULL_VER >= 192930037 - #define _SHA_SUPPORTED -@@ -46,6 +47,7 @@ This code is based on public domain code of Steve Reid from Wei Dai's Crypto++ l - #define _SHA_SUPPORTED - #endif - #endif -+ #endif - #endif - - void MY_FAST_CALL Sha1_UpdateBlocks(UInt32 state[5], const Byte *data, size_t numBlocks); -diff --git a/C/Sha1Opt.c b/C/Sha1Opt.c -index dcedfbc..574d469 100755 ---- a/C/Sha1Opt.c -+++ b/C/Sha1Opt.c -@@ -214,6 +214,7 @@ void MY_FAST_CALL Sha1_UpdateBlocks_HW(UInt32 state[5], const Byte *data, size_t - - #elif defined(MY_CPU_ARM_OR_ARM64) - -+ #if (__ARM_ARCH >= 7) - #if defined(__clang__) - #if (__clang_major__ >= 8) // fix that check - #define USE_HW_SHA -@@ -227,6 +228,7 @@ void MY_FAST_CALL Sha1_UpdateBlocks_HW(UInt32 state[5], const Byte *data, size_t - #define USE_HW_SHA - #endif - #endif -+ #endif - - #ifdef USE_HW_SHA - -diff --git a/C/Sha256.c b/C/Sha256.c -index c03b75a..e997ad4 100755 ---- a/C/Sha256.c -+++ b/C/Sha256.c -@@ -33,6 +33,7 @@ This code is based on public domain code from Wei Dai's Crypto++ library. */ - #endif - #endif - #elif defined(MY_CPU_ARM_OR_ARM64) -+ #if (__ARM_ARCH >= 7) - #ifdef _MSC_VER - #if _MSC_VER >= 1910 - #define _SHA_SUPPORTED -@@ -46,6 +47,7 @@ This code is based on public domain code from Wei Dai's Crypto++ library. */ - #define _SHA_SUPPORTED - #endif - #endif -+ #endif - #endif - - void MY_FAST_CALL Sha256_UpdateBlocks(UInt32 state[8], const Byte *data, size_t numBlocks); -diff --git a/C/Sha256Opt.c b/C/Sha256Opt.c -index cc8c53e..b13cf7b 100755 ---- a/C/Sha256Opt.c -+++ b/C/Sha256Opt.c -@@ -214,6 +214,7 @@ void MY_FAST_CALL Sha256_UpdateBlocks_HW(UInt32 state[8], const Byte *data, size - - #elif defined(MY_CPU_ARM_OR_ARM64) - -+ #if (__ARM_ARCH >= 7) - #if defined(__clang__) - #if (__clang_major__ >= 8) // fix that check - #define USE_HW_SHA -@@ -227,6 +228,7 @@ void MY_FAST_CALL Sha256_UpdateBlocks_HW(UInt32 state[8], const Byte *data, size - #define USE_HW_SHA - #endif - #endif -+ #endif - - #ifdef USE_HW_SHA - -diff --git a/CPP/7zip/Crypto/MyAes.cpp b/CPP/7zip/Crypto/MyAes.cpp -index 7e7cced..0df7b2f 100755 ---- a/CPP/7zip/Crypto/MyAes.cpp -+++ b/CPP/7zip/Crypto/MyAes.cpp -@@ -86,6 +86,7 @@ STDMETHODIMP CAesCoder::SetInitVector(const Byte *data, UInt32 size) - #ifdef MY_CPU_X86_OR_AMD64 - #define USE_HW_AES - #elif defined(MY_CPU_ARM_OR_ARM64) && defined(MY_CPU_LE) -+ #if (__ARM_ARCH >= 7) - #if defined(__clang__) - #if (__clang_major__ >= 8) // fix that check - #define USE_HW_AES -@@ -99,6 +100,7 @@ STDMETHODIMP CAesCoder::SetInitVector(const Byte *data, UInt32 size) - #define USE_HW_AES - #endif - #endif -+ #endif - #endif - - #endif diff -Nru 7zip-22.01+dfsg/debian/patches/0003-Disable-local-echo-display-when-in-input-passwords-C.patch 7zip-25.01+dfsg/debian/patches/0003-Disable-local-echo-display-when-in-input-passwords-C.patch --- 7zip-22.01+dfsg/debian/patches/0003-Disable-local-echo-display-when-in-input-passwords-C.patch 1970-01-01 01:00:00.000000000 +0100 +++ 7zip-25.01+dfsg/debian/patches/0003-Disable-local-echo-display-when-in-input-passwords-C.patch 2026-02-11 08:34:56.000000000 +0100 @@ -0,0 +1,88 @@ +From: YOKOTA Hiroshi <[email protected]> +Date: Tue, 22 Feb 2022 21:02:14 +0900 +Subject: Disable local echo display when in input passwords (Closes: + #1006238) + +Forwarded: https://sourceforge.net/p/sevenzip/patches/381/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006238 +--- + CPP/7zip/UI/Console/UserInputUtils.cpp | 33 ++++++++++++++++++++++++++++++++- + CPP/Common/StdInStream.h | 3 +++ + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/CPP/7zip/UI/Console/UserInputUtils.cpp b/CPP/7zip/UI/Console/UserInputUtils.cpp +index 6c3c85a..2832b00 100644 +--- a/CPP/7zip/UI/Console/UserInputUtils.cpp ++++ b/CPP/7zip/UI/Console/UserInputUtils.cpp +@@ -57,9 +57,18 @@ NUserAnswerMode::EEnum ScanUserYesNoAllQuit(CStdOutStream *outStream) + #ifdef _WIN32 + #ifndef UNDER_CE + #define MY_DISABLE_ECHO ++#define MY_DISABLE_ECHO_WIN32 + #endif + #endif + ++#ifdef unix ++#include <stdio.h> ++#include <termios.h> ++#include <unistd.h> ++#define MY_DISABLE_ECHO ++#define MY_DISABLE_ECHO_UNIX ++#endif ++ + static bool GetPassword(CStdOutStream *outStream, UString &psw) + { + if (outStream) +@@ -72,7 +81,7 @@ static bool GetPassword(CStdOutStream *outStream, UString &psw) + outStream->Flush(); + } + +- #ifdef MY_DISABLE_ECHO ++ #ifdef MY_DISABLE_ECHO_WIN32 + + const HANDLE console = GetStdHandle(STD_INPUT_HANDLE); + +@@ -91,6 +100,28 @@ static bool GetPassword(CStdOutStream *outStream, UString &psw) + if (wasChanged) + SetConsoleMode(console, mode); + ++ #elif defined(MY_DISABLE_ECHO_UNIX) ++ ++ const int ifd = fileno(&(*g_StdIn)); ++ bool wasChanged = false; ++ struct termios old_mode = {}; ++ struct termios new_mode = {}; ++ ++ if (tcgetattr(ifd, &old_mode) == 0) { ++ new_mode = old_mode; ++ new_mode.c_lflag &= ~ECHO; ++ ++ tcsetattr(ifd, TCSAFLUSH, &new_mode); ++ ++ wasChanged = true; ++ } ++ ++ const bool res = g_StdIn.ScanUStringUntilNewLine(psw); ++ ++ if (wasChanged) { ++ tcsetattr(ifd, TCSAFLUSH, &old_mode); ++ } ++ + #else + + const bool res = g_StdIn.ScanUStringUntilNewLine(psw); +diff --git a/CPP/Common/StdInStream.h b/CPP/Common/StdInStream.h +index 2253c43..69d84fe 100644 +--- a/CPP/Common/StdInStream.h ++++ b/CPP/Common/StdInStream.h +@@ -23,7 +23,10 @@ public: + + /* + ~CStdInStream() { Close(); } ++ */ + ++ operator FILE *() { return _stream; } ++ /* + bool Open(LPCTSTR fileName) throw(); + bool Close() throw(); + */ diff -Nru 7zip-22.01+dfsg/debian/patches/0004-Guard-ARM-v8-feature-from-old-architecture.patch 7zip-25.01+dfsg/debian/patches/0004-Guard-ARM-v8-feature-from-old-architecture.patch --- 7zip-22.01+dfsg/debian/patches/0004-Guard-ARM-v8-feature-from-old-architecture.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0004-Guard-ARM-v8-feature-from-old-architecture.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,25 +0,0 @@ -From: YOKOTA Hiroshi <[email protected]> -Date: Wed, 13 Oct 2021 07:59:13 +0900 -Subject: Guard ARM v8 feature from old architecture - -Forwarded: not-needed ---- - C/7zCrc.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/C/7zCrc.c b/C/7zCrc.c -index c7ec353..230d8a5 100755 ---- a/C/7zCrc.c -+++ b/C/7zCrc.c -@@ -81,8 +81,9 @@ UInt32 MY_FAST_CALL CrcUpdateT1(UInt32 v, const void *data, size_t size, const U - #define USE_ARM64_CRC - #endif - #endif -- #elif (defined(__clang__) && (__clang_major__ >= 3)) \ -- || (defined(__GNUC__) && (__GNUC__ > 4)) -+ #elif ( (defined(__clang__) && (__clang_major__ >= 3)) || \ -+ (defined(__GNUC__) && (__GNUC__ > 4) ) ) && \ -+ (__ARM_ARCH >= 8) - #if !defined(__ARM_FEATURE_CRC32) - #define __ARM_FEATURE_CRC32 1 - #if (!defined(__clang__) || (__clang_major__ > 3)) // fix these numbers diff -Nru 7zip-22.01+dfsg/debian/patches/0005-Add-note-for-unexpected-recursive-operations-behavio.patch 7zip-25.01+dfsg/debian/patches/0005-Add-note-for-unexpected-recursive-operations-behavio.patch --- 7zip-22.01+dfsg/debian/patches/0005-Add-note-for-unexpected-recursive-operations-behavio.patch 1970-01-01 01:00:00.000000000 +0100 +++ 7zip-25.01+dfsg/debian/patches/0005-Add-note-for-unexpected-recursive-operations-behavio.patch 2026-02-11 08:34:56.000000000 +0100 @@ -0,0 +1,25 @@ +From: YOKOTA Hiroshi <[email protected]> +Date: Fri, 3 Jan 2025 10:11:58 +0900 +Subject: Add note for unexpected recursive operations behavior to usage text + +Forwarded: https://sourceforge.net/p/sevenzip/bugs/2540/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091693 +--- + CPP/7zip/UI/Console/Main.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/CPP/7zip/UI/Console/Main.cpp b/CPP/7zip/UI/Console/Main.cpp +index 5094452..7511322 100644 +--- a/CPP/7zip/UI/Console/Main.cpp ++++ b/CPP/7zip/UI/Console/Main.cpp +@@ -133,6 +133,10 @@ static const char * const kHelpString = + PROG_POSTFIX + " <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]\n" + "\n" ++ "Note:\n" ++ " If <file_names> is not specified, 7z" PROG_POSTFIX " implicitly uses \".\" as <file_names>.\n" ++ " This means recursively add/delete/extract files to/from <arcive_name>.\n" ++ "\n" + "<Commands>\n" + " a : Add files to archive\n" + " b : Benchmark\n" diff -Nru 7zip-22.01+dfsg/debian/patches/0005-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch 7zip-25.01+dfsg/debian/patches/0005-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch --- 7zip-22.01+dfsg/debian/patches/0005-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0005-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,39 +0,0 @@ -From: YOKOTA Hiroshi <[email protected]> -Date: Wed, 15 Sep 2021 00:02:36 +0900 -Subject: Use getcwd(3) POSIX extension to avoid PATH_MAX macro - -Forwarded: not-needed - -This fix helps GNU Hurd. ---- - CPP/Windows/FileDir.cpp | 13 +------------ - 1 file changed, 1 insertion(+), 12 deletions(-) - -diff --git a/CPP/Windows/FileDir.cpp b/CPP/Windows/FileDir.cpp -index 5e95204..9b5394e 100755 ---- a/CPP/Windows/FileDir.cpp -+++ b/CPP/Windows/FileDir.cpp -@@ -906,22 +906,11 @@ bool GetCurrentDir(FString &path) - { - path.Empty(); - -- #define MY__PATH_MAX PATH_MAX -- // #define MY__PATH_MAX 1024 -- -- char s[MY__PATH_MAX + 1]; -- char *res = getcwd(s, MY__PATH_MAX); -- if (res) -- { -- path = fas2fs(s); -- return true; -- } - { -- // if (errno != ERANGE) return false; - #if defined(__GLIBC__) || defined(__APPLE__) - /* As an extension to the POSIX.1-2001 standard, glibc's getcwd() - allocates the buffer dynamically using malloc(3) if buf is NULL. */ -- res = getcwd(NULL, 0); -+ char *res = getcwd(NULL, 0); - if (res) - { - path = fas2fs(res); diff -Nru 7zip-22.01+dfsg/debian/patches/0006-Disable-local-echo-display-when-in-input-passwords-C.patch 7zip-25.01+dfsg/debian/patches/0006-Disable-local-echo-display-when-in-input-passwords-C.patch --- 7zip-22.01+dfsg/debian/patches/0006-Disable-local-echo-display-when-in-input-passwords-C.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0006-Disable-local-echo-display-when-in-input-passwords-C.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,83 +0,0 @@ -From: YOKOTA Hiroshi <[email protected]> -Date: Tue, 22 Feb 2022 21:02:14 +0900 -Subject: Disable local echo display when in input passwords (Closes: - #1006238) - ---- - CPP/7zip/UI/Console/UserInputUtils.cpp | 33 ++++++++++++++++++++++++++++++++- - CPP/Common/StdInStream.h | 1 + - 2 files changed, 33 insertions(+), 1 deletion(-) - -diff --git a/CPP/7zip/UI/Console/UserInputUtils.cpp b/CPP/7zip/UI/Console/UserInputUtils.cpp -index b3ca88e..6f60a78 100755 ---- a/CPP/7zip/UI/Console/UserInputUtils.cpp -+++ b/CPP/7zip/UI/Console/UserInputUtils.cpp -@@ -56,9 +56,18 @@ NUserAnswerMode::EEnum ScanUserYesNoAllQuit(CStdOutStream *outStream) - #ifdef _WIN32 - #ifndef UNDER_CE - #define MY_DISABLE_ECHO -+#define MY_DISABLE_ECHO_WIN32 - #endif - #endif - -+#ifdef unix -+#include <stdio.h> -+#include <termios.h> -+#include <unistd.h> -+#define MY_DISABLE_ECHO -+#define MY_DISABLE_ECHO_UNIX -+#endif -+ - static bool GetPassword(CStdOutStream *outStream, UString &psw) - { - if (outStream) -@@ -71,7 +80,7 @@ static bool GetPassword(CStdOutStream *outStream, UString &psw) - outStream->Flush(); - } - -- #ifdef MY_DISABLE_ECHO -+ #ifdef MY_DISABLE_ECHO_WIN32 - - HANDLE console = GetStdHandle(STD_INPUT_HANDLE); - bool wasChanged = false; -@@ -83,6 +92,28 @@ static bool GetPassword(CStdOutStream *outStream, UString &psw) - if (wasChanged) - SetConsoleMode(console, mode); - -+ #elif defined(MY_DISABLE_ECHO_UNIX) -+ -+ int ifd = fileno(&(*g_StdIn)); -+ bool wasChanged = false; -+ struct termios old_mode = {}; -+ struct termios new_mode = {}; -+ -+ if (tcgetattr(ifd, &old_mode) == 0) { -+ new_mode = old_mode; -+ new_mode.c_lflag &= ~ECHO; -+ -+ tcsetattr(ifd, TCSAFLUSH, &new_mode); -+ -+ wasChanged = true; -+ } -+ -+ bool res = g_StdIn.ScanUStringUntilNewLine(psw); -+ -+ if (wasChanged) { -+ tcsetattr(ifd, TCSAFLUSH, &old_mode); -+ } -+ - #else - - bool res = g_StdIn.ScanUStringUntilNewLine(psw); -diff --git a/CPP/Common/StdInStream.h b/CPP/Common/StdInStream.h -index 7f27e92..23c7bf8 100755 ---- a/CPP/Common/StdInStream.h -+++ b/CPP/Common/StdInStream.h -@@ -23,6 +23,7 @@ public: - - ~CStdInStream() { Close(); } - -+ operator FILE *() { return _stream; } - bool Open(LPCTSTR fileName) throw(); - bool Close() throw(); - diff -Nru 7zip-22.01+dfsg/debian/patches/0007-Manually-de-reference-pointers.patch 7zip-25.01+dfsg/debian/patches/0007-Manually-de-reference-pointers.patch --- 7zip-22.01+dfsg/debian/patches/0007-Manually-de-reference-pointers.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0007-Manually-de-reference-pointers.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,119 +0,0 @@ -From: YOKOTA Hiroshi <[email protected]> -Date: Sun, 21 Aug 2022 16:50:54 +0900 -Subject: Manually de-reference pointers - -Implicit de-reference breaks link time optimization (LTO). - -Pointer type mismatch breaks LTO because it violates strict-aliasing rules. - -C/Aes.h: - typedef void (MY_FAST_CALL *AES_CODE_FUNC)(UInt32 *ivAes, Byte *data, size_t numBlocks); -C/AesOpt.c: - void MY_FAST_CALL name(__m128i *p, __m128i *data, size_t numBlocks) - void MY_FAST_CALL name(v128 *p, v128 *data, size_t numBlocks) ---- - C/AesOpt.c | 28 ++++++++++++++++++++++++++-- - 1 file changed, 26 insertions(+), 2 deletions(-) - -diff --git a/C/AesOpt.c b/C/AesOpt.c -index 60058bc..1a81546 100755 ---- a/C/AesOpt.c -+++ b/C/AesOpt.c -@@ -61,7 +61,7 @@ - #endif - - #define AES_FUNC_START(name) \ -- void MY_FAST_CALL name(__m128i *p, __m128i *data, size_t numBlocks) -+ void MY_FAST_CALL name(UInt32 *d_p, Byte *d_data, size_t numBlocks) - - #define AES_FUNC_START2(name) \ - AES_FUNC_START (name); \ -@@ -77,6 +77,9 @@ AES_FUNC_START (name) - - AES_FUNC_START2 (AesCbc_Encode_HW) - { -+ __m128i *p = (__m128i *)(void *)d_p; -+ __m128i *data = (__m128i *)(void *)d_data; -+ - __m128i m = *p; - const __m128i k0 = p[2]; - const __m128i k1 = p[3]; -@@ -218,6 +221,9 @@ AES_FUNC_START2 (AesCbc_Encode_HW) - - AES_FUNC_START2 (AesCbc_Decode_HW) - { -+ __m128i *p = (__m128i *)(void *)d_p; -+ __m128i *data = (__m128i *)(void *)d_data; -+ - __m128i iv = *p; - const __m128i *wStart = p + *(const UInt32 *)(p + 1) * 2 + 2 - 1; - const __m128i *dataEnd; -@@ -271,6 +277,9 @@ AES_FUNC_START2 (AesCbc_Decode_HW) - - AES_FUNC_START2 (AesCtr_Code_HW) - { -+ __m128i *p = (__m128i *)(void *)d_p; -+ __m128i *data = (__m128i *)(void *)d_data; -+ - __m128i ctr = *p; - UInt32 numRoundsMinus2 = *(const UInt32 *)(p + 1) * 2 - 1; - const __m128i *dataEnd; -@@ -344,6 +353,9 @@ AES_FUNC_START (name) - - VAES_FUNC_START2 (AesCbc_Decode_HW_256) - { -+ __m128i *p = (__m128i *)(void *)d_p; -+ __m128i *data = (__m128i *)(void *)d_data; -+ - __m128i iv = *p; - const __m128i *dataEnd; - UInt32 numRounds = *(const UInt32 *)(p + 1) * 2 + 1; -@@ -415,6 +427,9 @@ AVX2: _mm256_add_epi64 : vpaddq ymm, ymm, ymm - - VAES_FUNC_START2 (AesCtr_Code_HW_256) - { -+ __m128i *p = (__m128i *)(void *)d_p; -+ __m128i *data = (__m128i *)(void *)d_data; -+ - __m128i ctr = *p; - UInt32 numRounds = *(const UInt32 *)(p + 1) * 2 + 1; - const __m128i *dataEnd; -@@ -553,7 +568,7 @@ VAES_COMPAT_STUB (AesCtr_Code_HW) - typedef uint8x16_t v128; - - #define AES_FUNC_START(name) \ -- void MY_FAST_CALL name(v128 *p, v128 *data, size_t numBlocks) -+ void MY_FAST_CALL name(UInt32 *d_p, Byte *d_data, size_t numBlocks) - - #define AES_FUNC_START2(name) \ - AES_FUNC_START (name); \ -@@ -573,6 +588,9 @@ AES_FUNC_START (name) - - AES_FUNC_START2 (AesCbc_Encode_HW) - { -+ v128 *p = (v128 *)(void *)d_p; -+ v128 *data = (v128 *)(void *)d_data; -+ - v128 m = *p; - const v128 k0 = p[2]; - const v128 k1 = p[3]; -@@ -674,6 +692,9 @@ AES_FUNC_START2 (AesCbc_Encode_HW) - - AES_FUNC_START2 (AesCbc_Decode_HW) - { -+ v128 *p = (v128 *)(void *)d_p; -+ v128 *data = (v128 *)(void *)d_data; -+ - v128 iv = *p; - const v128 *wStart = p + ((size_t)*(const UInt32 *)(p + 1)) * 2; - const v128 *dataEnd; -@@ -726,6 +747,9 @@ AES_FUNC_START2 (AesCbc_Decode_HW) - - AES_FUNC_START2 (AesCtr_Code_HW) - { -+ v128 *p = (v128 *)(void *)d_p; -+ v128 *data = (v128 *)(void *)d_data; -+ - uint64x2_t ctr = vreinterpretq_u64_u8(*p); - const v128 *wEnd = p + ((size_t)*(const UInt32 *)(p + 1)) * 2; - const v128 *dataEnd; diff -Nru 7zip-22.01+dfsg/debian/patches/0008-Remove-unwanted-hack-for-object-files.patch 7zip-25.01+dfsg/debian/patches/0008-Remove-unwanted-hack-for-object-files.patch --- 7zip-22.01+dfsg/debian/patches/0008-Remove-unwanted-hack-for-object-files.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0008-Remove-unwanted-hack-for-object-files.patch 2026-02-11 08:34:01.000000000 +0100 @@ -7,17 +7,17 @@ CPP/7zip/7zip_gcc.mak | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -diff --git a/CPP/7zip/7zip_gcc.mak b/CPP/7zip/7zip_gcc.mak -index 090e498..525c24e 100755 ---- a/CPP/7zip/7zip_gcc.mak -+++ b/CPP/7zip/7zip_gcc.mak -@@ -25,8 +25,7 @@ endif - CFLAGS_BASE_LIST = -c +Index: 7zip/CPP/7zip/7zip_gcc.mak +=================================================================== +--- 7zip.orig/CPP/7zip/7zip_gcc.mak ++++ 7zip/CPP/7zip/7zip_gcc.mak +@@ -51,8 +51,7 @@ endif + # CFLAGS_BASE_LIST = -S CFLAGS_BASE = -O2 $(CFLAGS_BASE_LIST) $(CFLAGS_WARN_WALL) $(CFLAGS_WARN) \ -- -DNDEBUG -D_REENTRANT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE \ +- $(CFLAGS_DEBUG) -D_REENTRANT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE \ - -fPIC -+ -DNDEBUG -D_REENTRANT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE - - # -D_7ZIP_AFFINITY_DISABLE ++ $(CFLAGS_DEBUG) -D_REENTRANT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE + FLAGS_FLTO = -ffunction-sections + FLAGS_FLTO = -flto diff -Nru 7zip-22.01+dfsg/debian/patches/0009-Fix-CVE-2023-52168-and-CVE-2023-52169.patch 7zip-25.01+dfsg/debian/patches/0009-Fix-CVE-2023-52168-and-CVE-2023-52169.patch --- 7zip-22.01+dfsg/debian/patches/0009-Fix-CVE-2023-52168-and-CVE-2023-52169.patch 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/0009-Fix-CVE-2023-52168-and-CVE-2023-52169.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,146 +0,0 @@ -From: YOKOTA Hiroshi <[email protected]> -Date: Wed, 2 Oct 2024 12:09:49 +0900 -Subject: Fix CVE-2023-52168 and CVE-2023-52169 - -Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-52168 -Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-52169 -Forwarded: not-needed - -This patch was extracted from reporter's blog and -upstream/23.01..upstream/24.05 diff. -> https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ ---- - CPP/7zip/Archive/NtfsHandler.cpp | 89 +++++++++++++++++++++++++--------------- - 1 file changed, 57 insertions(+), 32 deletions(-) - -diff --git a/CPP/7zip/Archive/NtfsHandler.cpp b/CPP/7zip/Archive/NtfsHandler.cpp -index 0b9ee29..39a1299 100755 ---- a/CPP/7zip/Archive/NtfsHandler.cpp -+++ b/CPP/7zip/Archive/NtfsHandler.cpp -@@ -71,6 +71,7 @@ struct CHeader - { - unsigned SectorSizeLog; - unsigned ClusterSizeLog; -+ unsigned MftRecordSizeLog; - // Byte MediaType; - UInt32 NumHiddenSectors; - UInt64 NumSectors; -@@ -156,14 +157,47 @@ bool CHeader::Parse(const Byte *p) - - NumClusters = NumSectors >> sectorsPerClusterLog; - -- G64(p + 0x30, MftCluster); -+ G64(p + 0x30, MftCluster); // $MFT. - // G64(p + 0x38, Mft2Cluster); -- G64(p + 0x48, SerialNumber); -- UInt32 numClustersInMftRec; -- UInt32 numClustersInIndexBlock; -- G32(p + 0x40, numClustersInMftRec); // -10 means 2 ^10 = 1024 bytes. -- G32(p + 0x44, numClustersInIndexBlock); -- return (numClustersInMftRec < 256 && numClustersInIndexBlock < 256); -+ G64(p + 0x48, SerialNumber); // $MFTMirr -+ -+ /* -+ numClusters_per_MftRecord: -+ numClusters_per_IndexBlock: -+ only low byte from 4 bytes is used. Another 3 high bytes are zeros. -+ If the number is positive (number < 0x80), -+ then it represents the number of clusters. -+ If the number is negative (number >= 0x80), -+ then the size of the file record is 2 raised to the absolute value of this number. -+ example: (0xF6 == -10) means 2^10 = 1024 bytes. -+ */ -+ { -+ UInt32 numClusters_per_MftRecord; -+ G32(p + 0x40, numClusters_per_MftRecord); -+ if (numClusters_per_MftRecord >= 0x100 || numClusters_per_MftRecord == 0) -+ return false; -+ if (numClusters_per_MftRecord < 0x80) -+ { -+ const int t = GetLog(numClusters_per_MftRecord); -+ if (t < 0) -+ return false; -+ MftRecordSizeLog = (unsigned)t + ClusterSizeLog; -+ } -+ else -+ MftRecordSizeLog = 0x100 - numClusters_per_MftRecord; -+ // what exact MFT record sizes are possible and supported by Windows? -+ // do we need to change this limit here? -+ const unsigned k_MftRecordSizeLog_MAX = 12; -+ if (MftRecordSizeLog > k_MftRecordSizeLog_MAX) -+ return false; -+ if (MftRecordSizeLog < SectorSizeLog) -+ return false; -+ } -+ { -+ UInt32 numClusters_per_IndexBlock; -+ G32(p + 0x44, numClusters_per_IndexBlock); -+ return (numClusters_per_IndexBlock < 0x100); -+ } - } - - struct CMftRef -@@ -266,8 +300,8 @@ bool CFileNameAttr::Parse(const Byte *p, unsigned size) - G32(p + 0x38, Attrib); - // G16(p + 0x3C, PackedEaSize); - NameType = p[0x41]; -- unsigned len = p[0x40]; -- if (0x42 + len > size) -+ const unsigned len = p[0x40]; -+ if (0x42 + len * 2 > size) - return false; - if (len != 0) - GetString(p + 0x42, len, Name); -@@ -1730,26 +1764,22 @@ HRESULT CDatabase::Open() - - SeekToCluster(Header.MftCluster); - -- CMftRec mftRec; -- UInt32 numSectorsInRec; -- -+ // we use ByteBuf for records reading. -+ // so the size of ByteBuf must be >= mftRecordSize -+ const size_t recSize = (size_t)1 << Header.MftRecordSizeLog; -+ const size_t kBufSize = MyMax((size_t)(1 << 15), recSize); -+ ByteBuf.Alloc(kBufSize); -+ RINOK(ReadStream_FALSE(InStream, ByteBuf, recSize)) -+ { -+ const UInt32 allocSize = Get32(ByteBuf + 0x1C); -+ if (allocSize != recSize) -+ return S_FALSE; -+ } -+ // MftRecordSizeLog >= SectorSizeLog -+ const UInt32 numSectorsInRec = 1u << (Header.MftRecordSizeLog - Header.SectorSizeLog); - CMyComPtr<IInStream> mftStream; -+ CMftRec mftRec; - { -- UInt32 blockSize = 1 << 12; -- ByteBuf.Alloc(blockSize); -- RINOK(ReadStream_FALSE(InStream, ByteBuf, blockSize)); -- -- { -- UInt32 allocSize = Get32(ByteBuf + 0x1C); -- int t = GetLog(allocSize); -- if (t < (int)Header.SectorSizeLog) -- return S_FALSE; -- RecSizeLog = t; -- if (RecSizeLog > 15) -- return S_FALSE; -- } -- -- numSectorsInRec = 1 << (RecSizeLog - Header.SectorSizeLog); - if (!mftRec.Parse(ByteBuf, Header.SectorSizeLog, numSectorsInRec, 0, NULL)) - return S_FALSE; - if (!mftRec.IsFILE()) -@@ -1768,11 +1798,6 @@ HRESULT CDatabase::Open() - if ((mftSize >> 4) > Header.GetPhySize_Clusters()) - return S_FALSE; - -- const size_t kBufSize = (1 << 15); -- const size_t recSize = ((size_t)1 << RecSizeLog); -- if (kBufSize < recSize) -- return S_FALSE; -- - { - const UInt64 numFiles = mftSize >> RecSizeLog; - if (numFiles > (1 << 30)) diff -Nru 7zip-22.01+dfsg/debian/patches/series 7zip-25.01+dfsg/debian/patches/series --- 7zip-22.01+dfsg/debian/patches/series 2024-10-17 18:28:14.000000000 +0200 +++ 7zip-25.01+dfsg/debian/patches/series 2026-02-11 08:34:56.000000000 +0100 @@ -1,9 +1,5 @@ 0001-Accept-Debian-build-flags.patch -0002-Use-GCC-10-warning-options.patch -0003-Disable-hardware-acceleration-support-on-armel.patch -0004-Guard-ARM-v8-feature-from-old-architecture.patch -0005-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch -0006-Disable-local-echo-display-when-in-input-passwords-C.patch -0007-Manually-de-reference-pointers.patch +0002-Use-getcwd-3-POSIX-extension-to-avoid-PATH_MAX-macro.patch +0003-Disable-local-echo-display-when-in-input-passwords-C.patch +0005-Add-note-for-unexpected-recursive-operations-behavio.patch 0008-Remove-unwanted-hack-for-object-files.patch -0009-Fix-CVE-2023-52168-and-CVE-2023-52169.patch diff -Nru 7zip-22.01+dfsg/debian/salsa-ci.yml 7zip-25.01+dfsg/debian/salsa-ci.yml --- 7zip-22.01+dfsg/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ 7zip-25.01+dfsg/debian/salsa-ci.yml 2026-02-11 07:26:32.000000000 +0100 @@ -0,0 +1,3 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
