[oe] [meta-openembedded] [Scarthgap] [PATCH] p7zip 16.02: Fix CVE-2022-47069

Thu, 11 Dec 2025 04:21:28 -0800 

From: Vrushti Dabhi <[email protected]>

Upstream Repository: https://sourceforge.net/projects/p7zip/

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
Type: Security Fix
CVE: CVE-2022-47069
Score: 7.8

Note:
- Commit [1] updates complete p7zip archive source for v17 and includes changes
that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
- Similar changes via [2] have been integrated into the upstream 7zip package,
which replaced p7zip 16.02 in OE-Core master.
For the testing:
- Verified fix using steps mentioned at [3], trace not observed.
- Validated against known malicious ZIP samples [3]

References:
[1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
[2] https://github.com/ip7z/7zip/commit/f19f813537c7
[3] https://sourceforge.net/p/p7zip/bugs/241/
[4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069

Signed-off-by: Vrushti Dabhi <[email protected]>
---
 .../p7zip/files/CVE-2022-47069.patch          | 63 +++++++++++++++++++
 meta-oe/recipes-extended/p7zip/p7zip_16.02.bb |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch

diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch 
b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
new file mode 100644
index 0000000000..586c0e82dc
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
@@ -0,0 +1,63 @@
+From 633f61e2eaf6530cf7e53c702c06de1b7a840fa7 Mon Sep 17 00:00:00 2001
+From: Vrushti Dabhi <[email protected]>
+Date: Thu, 27 Nov 2025 01:36:55 -0800
+Subject: [PATCH] Fix out-of-bounds read in ZIP archive processing
+ (CVE-2022-47069)
+
+Add bounds checking and replace unsafe pointer arithmetic with index-based
+access in FindCd() to prevent out-of-bounds read when processing malformed
+ZIP archives.
+
+Testing:
+- Verified fix using steps mentioned at [1], trace not observed.
+- Validated against known malicious ZIP samples [1]
+- Changes merged in upstream p7zip via [2]
+
+CVE: CVE-2022-47069
+Upstream-Status: Pending
+
+References:
+[1] https://sourceforge.net/p/p7zip/bugs/241/
+[2] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
+[3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
+
+Signed-off-by: Vrushti Dabhi <[email protected]>
+---
+ CPP/7zip/Archive/Zip/ZipIn.cpp | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/CPP/7zip/Archive/Zip/ZipIn.cpp b/CPP/7zip/Archive/Zip/ZipIn.cpp
+index c71c40f..84213b4 100644
+--- a/CPP/7zip/Archive/Zip/ZipIn.cpp
++++ b/CPP/7zip/Archive/Zip/ZipIn.cpp
+@@ -1095,11 +1095,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
+     
+     if (i >= kEcd64Locator_Size)
+     {
+-      const Byte *locatorPtr = buf + i - kEcd64Locator_Size;
+-      if (Get32(locatorPtr) == NSignature::kEcd64Locator)
++      const size_t locatorIndex = i - kEcd64Locator_Size;
++      if (Get32(buf + locatorIndex) == NSignature::kEcd64Locator)
+       {
+         CLocator locator;
+-        locator.Parse(locatorPtr + 4);
++        locator.Parse(buf + locatorIndex + 4);
+         if ((cdInfo.ThisDisk == locator.NumDisks - 1 || cdInfo.ThisDisk == 
0xFFFF)
+             && locator.Ecd64Disk < locator.NumDisks)
+         {
+@@ -1110,9 +1110,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
+           // we try relative backward reading.
+ 
+           UInt64 absEcd64 = endPos - bufSize + i - (kEcd64Locator_Size + 
kEcd64_FullSize);
++
++          if (locatorIndex >= kEcd64_FullSize)
+           if (checkOffsetMode || absEcd64 == locator.Ecd64Offset)
+           {
+-            const Byte *ecd64 = locatorPtr - kEcd64_FullSize;
++            const Byte *ecd64 = buf + locatorIndex - kEcd64_FullSize;
+             if (Get32(ecd64) == NSignature::kEcd64)
+             {
+               UInt64 mainEcd64Size = Get64(ecd64 + 4);
+-- 
+2.35.6
+
diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb 
b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
index 31a12fdb04..3ac0ed03cd 100644
--- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
+++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
@@ -13,6 +13,7 @@ SRC_URI = 
"http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al
            file://CVE-2018-5996.patch \
            file://CVE-2016-9296.patch \
            file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \
+           file://CVE-2022-47069.patch \
            "
 
 SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf"
-- 
2.35.6


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122584): 
https://lists.openembedded.org/g/openembedded-devel/message/122584
Mute This Topic: https://lists.openembedded.org/mt/116727783/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to