Hi, On Fri, May 29, 2026 at 09:51:16AM +0900, YOKOTA Hiroshi wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:7zip > User: [email protected] > Usertags: pu > > > [ Reason ] > Fix CVE-2026-48095 (heap buffer write overflow) > > [ Impact ] > A CVE (CVSS: 8.8/10) is unfixed. > > [ Tests ] > Autopkgtest on Salsa CI was successful. > https://salsa.debian.org/debian/7zip/-/pipelines/1096718 > > [ Risks ] > This patch just update upstream code to v26.01. > Because upstream dose not provide individual fix patch for the CVE. > I recommend to use online for examine this update. > Attached debdiff is compressed because it's too big. (20MB) > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > * Update upstream code to v26.01 > * Adjust Debian patch to new upstream code > * Adjust debian/watch file because upstream changes download URL > > [ Other info ] > * GHSL-2026-140: Heap Buffer Write Overflow in 7-Zip > https://securitylab.github.com/advisories/GHSL-2026-140_7-Zip/ > * Examine this update from online > https://salsa.debian.org/debian/7zip/-/compare/debian%2F25.01+dfsg-1_deb13u2...debian%2Ftrixie?from_project_id=61356
FYI, I *think* the debdiff was too big to reach the mailinglist, so you can as well attach a filtered debdiff to indicate what was needed to change for the debian/* packaging point of view. I can confirm that the attachments are in the bug though. Regards, Salvatore
