Your message dated Wed, 30 May 2018 07:23:19 +0000
with message-id <[email protected]>
and subject line Bug#897674: fixed in p7zip-rar 16.02-3
has caused the Debian Bug report #897674,
regarding p7zip-rar: CVE-2018-10115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
897674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: p7zip-rar
Version: 16.02-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for p7zip-rar.
CVE-2018-10115[0]:
| Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03
| and before can lead to usage of uninitialized memory, allowing remote
| attackers to cause a denial of service (segmentation fault) or execute
| arbitrary code via a crafted RAR archive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10115
[1]
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
[2] https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: p7zip-rar
Source-Version: 16.02-3
We believe that the bug you reported is fixed in the latest version of
p7zip-rar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Luberda <[email protected]> (supplier of updated p7zip-rar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 May 2018 09:04:26 +0200
Source: p7zip-rar
Binary: p7zip-rar
Architecture: source amd64
Version: 16.02-3
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <[email protected]>
Changed-By: Robert Luberda <[email protected]>
Description:
p7zip-rar - non-free rar module for p7zip
Closes: 897674
Changes:
p7zip-rar (16.02-3) unstable; urgency=medium
.
* Hopefully fix uninitialized memory access (CVE-2018-10115)
by applying changes described at
https://landave.io/files/patch_7zip_CVE-2018-10115.txt
(closes: #897674, LP: #1768984).
* debian/control:
+ switch VCS fields to salsa;
+ set Rules-Requires-Root to no;
+ Standards-Version: 4.1.4.
* debian/copyright: add a short comment explaining why this package
is non-free (lintian).
Checksums-Sha1:
3a7527532c7d6026afa817cf44f468cee7d7e598 1883 p7zip-rar_16.02-3.dsc
0c122e1378f0431b51c55ae08bd8871c0166e064 10148 p7zip-rar_16.02-3.debian.tar.xz
d0f162df290bfdfe6c7dcc1f8e586d6ee947728f 184220
p7zip-rar-dbgsym_16.02-3_amd64.deb
750e22eb33cb38e93b4693c3d3c9846ef6f6ddeb 5817 p7zip-rar_16.02-3_amd64.buildinfo
b863aa7717da2f397332ccf6ec7716ba4fb95c0a 57568 p7zip-rar_16.02-3_amd64.deb
Checksums-Sha256:
c49914f87dc3b8ec34853c006f0fb9c368865a53806d95b9c59dd02999923023 1883
p7zip-rar_16.02-3.dsc
fd8521bad02353bef892c6937edfa09b274d950583f90ac2cc71222763561f2b 10148
p7zip-rar_16.02-3.debian.tar.xz
7d09436960785ebf01ccc6f1597a2a60e971bffba27baa33cfbaf8eeb4229402 184220
p7zip-rar-dbgsym_16.02-3_amd64.deb
16da2c646cf43635a403e9f9ca70479d0cc159fc7fe57442bdd0ffc7e5602583 5817
p7zip-rar_16.02-3_amd64.buildinfo
9b2c9dab1651ec54b71a644a8d228f7c0bab20e205162731a1beb9e5d0685e0c 57568
p7zip-rar_16.02-3_amd64.deb
Files:
2a047aeb6a31b9b08f0da04d7c076dab 1883 non-free/utils optional
p7zip-rar_16.02-3.dsc
2e60c421882ad52e9622d216c6cd8289 10148 non-free/utils optional
p7zip-rar_16.02-3.debian.tar.xz
671428c6dfc66dcb44cd3ca7883d9811 184220 non-free/debug optional
p7zip-rar-dbgsym_16.02-3_amd64.deb
672d6b9668ff31c523b47f94c276fa26 5817 non-free/utils optional
p7zip-rar_16.02-3_amd64.buildinfo
d043818a204b8f57e359858772cbf09e 57568 non-free/utils optional
p7zip-rar_16.02-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENeh2+rTTcy6TtNI3Yx3nVTvor9QFAlsOTa4ACgkQYx3nVTvo
r9QAwg//WVY1i3tYU2JqtLkSbvRxNclLVw2H9+9NoodDB8yXrdif8/KRMsripOJy
XNutt1Ir+ALT9LLzg8iLshH0bK46ZCf5e8ri5qu1ywo4buCUZvBF7TgMMVeGeFl7
ie2dhqFelEGz6x+zWYeKilIXlHNTZ9o8+Omz8a5Jw+yrblcnfSGY3xi400JWF7F7
8V7+JBF8CgivHX7fCbIMx6AEXrlQqkegXIh/7kJC9y8ExFtll23/uHH2wb+7i+IF
/3mBXlVrqrNqlmdu2BaPqAoLnx50QRgHQ92tMJ6C/jeIdXTkM2yagPwd8j3Bqrza
Itzra1nIXuggw2HDHRkweiH1PIVK4X39TpJ3hjXcOwy1MFFXI8GBbhpXQ6vma0H+
vKh1Fp1EiEfwn6puNmDzW/Yd1WwKc2kuP1E6BP6qUw1QbDpp2asgBaCxos/MS/cK
ylwXnNKPQMbo+lcGhSTZL/Iq2gChvYEgy+v6/vvMpWFc1gTyMqbjvYJPeuRBWeAJ
vNLw9n/J3OwRwFMEuWmSCGdBi6kiKBDHNim1xPPfBbuM3kT4GmVd7f3k91r+0ywq
2z+aiqLVN3tI9Tx+CWaUfNtPU9tWDnTNrsfUCeYANT6ZoqoDciz5jp9BiqP2qxCA
HPMvmQgBklQ8wjcTwHYF3SQMe2naWfrFtuYuN8vpH79PcKfK10Y=
=Dmly
-----END PGP SIGNATURE-----
--- End Message ---