Package: 7zip Version: 24.09+dfsg-2 Severity: grave Dear Maintainer,
The 7z program in the "7zip" package has a dangerous default behavior. When only one file name argument is given, 7z uses that file as the archive name and starts archiving the files and directories in the current working directory. In other words, the command: 7z a archive behaves exactly the same as the commands: 7z a archive * 7z a archive . This is DANGEROUS as it may lead to unintended out of space disk errors. In contrast, other common archival tools default to doing nothing when only one file name is given. This bug should be fixed ASAP. If not, please considering removing the 7zip package from the Debian repository until the bug is fixed. Below is an example sequence of commands that will demonstrate this "oddity" of 7z's default behavior in comparison to other GNU/Linux command-line archival tools. It can be copied and placed into a file named "test.sh" and run as a bash or zsh script. (Note: the packages "zpaq", "bsdtar", "zip" and "busybox" might need to be installed.) # BEGIN TEST SCRIPT mkdir Working_Dir.d # change to working directory cd Working_Dir.d zpaq add Test_Archive bsdtar cf Test_Archive tar cf Test_Archive zip Test_Archive busybox cf Test_Archive 7z a Test_Archive # change to parent directory cd .. echo "Only 7z outputs an empty archive." ls Working_Dir.d/* # END TEST SCRIPT A more severe case of this weird default behavior is when using the "7z rn" (rename) function. When only one file name argument is supplied, "7z rn" behaves exactly like "7z a". For example, the command "7z rn archive.7z" wiil create the file "archive.7z", if it doesn't exist, and archive the files and directories in the current working directory. If a valid 7z archive named "archive.7z" already exists, the "7z rn" command will use that archive and do the same (i.e. add files and directories from the current directory). This has the potential of clobbering (replacing) old versions in the existing archive. I feel that, under the Debian bug reporting guidelines this merits the severity level "grave" (https://www.debian.org/Bugs/Developer#severities) as this would result in "data loss" (e.g. the current version of a file in the filesystem might be damaged). I quote: grave: makes the package in question unusable by most or all users, or causes data loss, or introduces a security hole allowing access to the accounts of users who use the package. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (900, 'testing'), (90, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 6.11.10-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_SG.UTF-8, LC_CTYPE=en_SG.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages 7zip depends on: ii libc6 2.40-4 ii libgcc-s1 14.2.0-8 ii libstdc++6 14.2.0-8 7zip recommends no packages. Versions of packages 7zip suggests: pn 7zip-rar <none> pn 7zip-standalone <none> -- no debconf information
