Control: tags -1 + confirmed

On Wed, 2026-06-03 at 12:43 +0200, Sylvain Beucler wrote:
> 7zip and p7zip were recently rebased on 7-Zip 25.01 to address
> security issues, in bookworm 12.14:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129934
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132466
> 
> A similar situation is happening now with the release of 8 new CVEs:
> https://deb.freexian.com/extended-lts/tracker/source-package/p7zip
>   CVE-2026-48092: SquashFS Fragment Offset Overflow
>   CVE-2026-48095: Heap Buffer Write Overflow
>   CVE-2026-48101: UEFI Capsule uninitialized heap memory disclosure
>   CVE-2026-48102: UDF Field OOB Read
>   CVE-2026-48103: WIM SecurityId OOB read
>   CVE-2026-48104: SquashFS BlockToNode uninitialized heap read
>   CVE-2026-48111: UEFI DEPEX OOB Read
>   CVE-2026-48112: Ar SYMDEF OOB Read
> whose fixes are again unfortunately lost within upstream mass-commit:
> https://github.com/ip7z/7zip/commit/8c63d71ff886bda90c86db28466287f977374237

Please go ahead, bearing in mind the timing of the final bookworm point
release.

Regards,

Adam

Reply via email to