Hi, On Mon, Dec 22, 2025 at 11:53 PM Gyorgy Sarvari <[email protected]> wrote: > > Anuj, > > Do you see showstopper issues with this patch? Or did it just fell > through the cracks accidentally?
Sorry, I did have questions on this patch so didn't include it but forgot to respond. Thank you for reminding. > > On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE > LIMITED at Cisco) via lists.openembedded.org wrote: > > From: Vrushti Dabhi <[email protected]> > > > > Upstream Repository: https://sourceforge.net/projects/p7zip/ > > > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069 > > Type: Security Fix > > CVE: CVE-2022-47069 > > Score: 7.8 > > > > Note: > > - Commit [1] updates complete p7zip archive source for v17 and includes > > changes > > that fixes CVE-2022-47609, adapted fix related changes in current p7zip > > v16.02. > > - Similar changes via [2] have been integrated into the upstream 7zip > > package, > > which replaced p7zip 16.02 in OE-Core master. > > For the testing: > > - Verified fix using steps mentioned at [3], trace not observed. > > - Validated against known malicious ZIP samples [3] > > > > References: > > [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2 > > [2] https://github.com/ip7z/7zip/commit/f19f813537c7 > > [3] https://sourceforge.net/p/p7zip/bugs/241/ > > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069 It looks like the patch attached in this bug is different from the changes below. It's not clear to me how the fix was derived from [1] and [2] and how is [4] relevant. Thanks, Anuj
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122812): https://lists.openembedded.org/g/openembedded-devel/message/122812 Mute This Topic: https://lists.openembedded.org/mt/116727783/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
