Package: release.debian.org Control: affects -1 + src:p7zip X-Debbugs-Cc: [email protected], [email protected], [email protected], [email protected] User: [email protected] Usertags: pu Tags: bookworm Severity: normal
Hello Release team, [ Reason ] p7zip in bookworm is affected by multiple security issues. https://deb.freexian.com/extended-lts/tracker/source-package/p7zip CVE-2022-47069, CVE-2023-31102, CVE-2023-40481, CVE-2023-52168, CVE-2023-52169, CVE-2024-11612, CVE-2025-11001, CVE-2025-11002, CVE-2025-53817, CVE-2025-55188 This situation has been stuck for multiple releases, due to a dead upstream: p7zip is an old fork of 7-Zip, which is not obsolete as 7-Zip now has native Unix support (used to be Windows-only). Moreover, the 7-Zip project imports new releases in Git but does not provide any history nor CVE information, making it difficult if not impossible to isolate patches and apply them to older p7zip code base: https://github.com/ip7z/7zip/commits/main/ Discussing with the maintainer and the security team, we designed a path forward, by replacing p7zip codebase with the exact same code as in the 7zip/trixie package (25.01), plus 3 compatibility patches: - old-style version output: fixes fragile version detection in GUIs, e.g. #1063545 and #1063564 - symlinks support / -l option: p7zip-specific option and different default behavior, remapped to -snl from 7zip, also used in GUIs (undocumented) - -[no-]utf16 support: p7zip-specific option, no-op as 7zip considers the filesystem to be UTF-8 (rather than inferring on environment) https://lists.debian.org/debian-lts/2026/01/msg00022.html https://lists.debian.org/debian-lts/2026/02/msg00019.html https://lists.debian.org/debian-lts/2026/03/msg00009.html [ Impact ] Users are vulnerable to memory corruption and several directory traversals when handling archives, both in .7z and other formats that p7zip supports. p7zip is used as a backend by several graphical interfaces (ark, file-roller/engrampa, lxqt...) and CLIs (mc, atool...). [ Tests ] Thorough manual rdeps testing was done: - GUIs: engrampa/file-roller, ark, lxqt; in particular symlinks handling - CLI wrappers: mc, atool, binwalk - Usage in test suites: libio-compress-lzma-perl - Illegal usage of (private) 7z.so: android-platform-external-libunwind: Crc* and Xz* symbols remained stable over time, build succeeds - Antivirus: amavisd-new (simple calls to 7z) - SFX (SelF-eXtracting archive, concatenating 7zSFX with a .7z file) - Password encryption (-mhe=on) Salsa-CI is setup, with new autopkgtests: https://salsa.debian.org/debian/p7zip/-/pipelines/1057870 There's also a debusine upload: https://debusine.debian.net/debian/developers/work-request/552708/#work_request Binary debdiff was done to ensure the same fileset is installed. Only the HTML documentation was dropped, all other files are maintained at their location. The new version scheme ensures a correct upgrade path, cross-checked by carnil: https://lists.debian.org/debian-lts/2026/03/msg00018.html We hope to push this update to oldstable-proposed-updates as soon as possible, to allow for end-users testing before the next point release mid-May. [ Risks ] Particular care was taken to maintain compatibility with existing p7zip. A transition from p7zip to 7zip was done in trixie, giving prior experience for this update. https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;include=subject%3A7zip;submitter=cacin%40allfreemail.net Unlike trixie, here we keep the p7zip package compatible, avoiding the need to modify reverse dependencies. The 7-Zip interface proved particularly stable over time, allowing to replicate this update down to stretch (plan for Debian LTS and ELTS): https://salsa.debian.org/beuc/p7zip/-/pipelines Deriving the 7zip package minimally will allow for a consistent codebase in both 7zip and p7zip, easing auditing and future fixes. The exact same source tarball is used. $ sha1sum 7zip_25.01+dfsg.orig.tar.xz p7zip_16.02+really25.01+dfsg.orig.tar.xz 60dae021cb41e62d50e1e43a20adf9c18d45250f 7zip_25.01+dfsg.orig.tar.xz 60dae021cb41e62d50e1e43a20adf9c18d45250f p7zip_16.02+really25.01+dfsg.orig.tar.xz Other (p)7zip forks were considered but none uses a recent-enough (fixed) codebase. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable (removed from unstable, fixed in trixie via 7zip transition) [ Changes ] The v25.01 codebase was imported on top of the bookworm p7zip packaging. As the full debdiff is very noisy due to all the new upstream code, care was taken to create a step-by-step minimal import, for review: https://salsa.debian.org/debian/p7zip/-/tree/debian/bookworm The packaging was minimally modified to adapt the new build system. Missing manpages (not provided by upstream anymore) were imported from trixie. So were debian/tests/. HTML documentation was dropped (not shipped by upstream anymore). The existing Debian patchset was replaced by trixie's; I only dropped patches for ASM support (requiring asmc-linux, not in bookworm), or introducing codepage changes (functional/breaking change). 3 patches for p7zip compatibility (described above) were added. Attached are debdiffs of debian/, with and without patches/. Full debdiff with new codebase is large, plus full of DOS/Unix newline issues, and was not included, however this reuses the trixie tarball identically. debian/copyright was updated and debian/watch stubbed. [ Other info ] I'll open a companion OSPU for p7zip-rar (non-free): same codebase without DFSG pruning, to provide a compatible Rar.so plugin. We plan to backport this version in Debian LTS bullseye as well, following your feedback here. A slightly related OSPU was opened at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129934 It upgrades the 7zip (not p7zip) package to the 25.01/trixie codebase as well, with fewer changes. This explains why all the codebase updates here were based on 7zip/trixie rather than 7zip/bookworm. -- Sylvain Beucler Debian LTS Team
