Control: tags -1 + confirmed On Wed, 2026-06-03 at 12:43 +0200, Sylvain Beucler wrote: > 7zip and p7zip were recently rebased on 7-Zip 25.01 to address > security issues, in bookworm 12.14: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129934 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132466 > > A similar situation is happening now with the release of 8 new CVEs: > https://deb.freexian.com/extended-lts/tracker/source-package/p7zip > CVE-2026-48092: SquashFS Fragment Offset Overflow > CVE-2026-48095: Heap Buffer Write Overflow > CVE-2026-48101: UEFI Capsule uninitialized heap memory disclosure > CVE-2026-48102: UDF Field OOB Read > CVE-2026-48103: WIM SecurityId OOB read > CVE-2026-48104: SquashFS BlockToNode uninitialized heap read > CVE-2026-48111: UEFI DEPEX OOB Read > CVE-2026-48112: Ar SYMDEF OOB Read > whose fixes are again unfortunately lost within upstream mass-commit: > https://github.com/ip7z/7zip/commit/8c63d71ff886bda90c86db28466287f977374237
Please go ahead, bearing in mind the timing of the final bookworm point release. Regards, Adam

