Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
> I am not in a position to assess that for you. You're the maintainer, you > need to be able to vouch for your proposed upload. Upstream dose not have VCS and not provide fix patch, and just releases new version 7-Zip 23.01 as fix. So, I can't guarantee the bug was fixed except new upstream version 23.01. I think we need some Debian Developer provide BPO package 7zip 23.01 to fix this issue. Because I am a Debian Maintainer, I can't provide such BPO package. -- YOKOTA Hiroshi
Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Control: tag -1 moreinfo On Sun, Oct 15, 2023 at 12:55:48PM +0900, yokota wrote: > Trivial autopkgtest was passed, but I don't know that this debdiff > really fixes CVE-2023-31102 and CVE-2023-40481. > > Please examine attached debdiff. I am not in a position to assess that for you. You're the maintainer, you need to be able to vouch for your proposed upload. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Hello Jonathan, > The diff you attached is unreviewable: > 979 files changed, 40347 insertions(+), 25060 deletions(-) > Please prepare targetted fixes for the security issues. Upstream dose not release fix patch, but they releases new version (23.01) source code. I was try to extract fix patch from diff file of 22.01..23.01 source code. Trivial autopkgtest was passed, but I don't know that this debdiff really fixes CVE-2023-31102 and CVE-2023-40481. Please examine attached debdiff. diff stat: changelog |8 patches/0009-CVE-2023-40481-fix.patch | 253 ++ patches/0010-CVE-2023-31102-fix.patch | 856 ++ patches/series|2 4 files changed, 1119 insertions(+) -- YOKOTA Hiroshi 7zip_22.01+dfsg-8+deb12u1.debdiff Description: Binary data
Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Control: tag -1 moreinfo On Tue, Sep 05, 2023 at 04:04:27AM +0900, YOKOTA Hiroshi wrote: > [ Reason ] > 1. Fix security issue > CVE-2023-31102: https://www.zerodayinitiative.com/advisories/ZDI-23-1165/ > CVE-2023-40481: https://www.zerodayinitiative.com/advisories/ZDI-23-1164/ > > 2. Use 7zip-rar package for RAR archives. >7zip-rar requires 7zip >= 22.01-9 The diff you attached is unreviewable: 979 files changed, 40347 insertions(+), 25060 deletions(-) Please prepare targetted fixes for the security issues. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Hello, > What are the isolated fixes for CVE-2023-40481 and CVE-2023-31102, is there > some > kind of public upstream VCS or can you ask upstream about it? CVE site is not disclose info about this issue yet, but Zero Day Initiative already disclose this issue. > CVE-2023-31102: https://www.zerodayinitiative.com/advisories/ZDI-23-1165/ > CVE-2023-40481: https://www.zerodayinitiative.com/advisories/ZDI-23-1164/ In Zero Day Initiative report, they shows the fixes about these issues. > ADDITIONAL DETAILS 7-Zip has issued an update to correct this vulnerability. > More details can be found at: > https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269/ Updated 7-Zip 23.00beta is released in this sourceforge link. I want to upload 7-Zip 23.01 to Debian because 23.01 is non-beta version. -- YOKOTA Hiroshi
Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
On Tue, Sep 05, 2023 at 04:04:27AM +0900, YOKOTA Hiroshi wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: 7...@packages.debian.org, yokota.h...@gmail.com, > b...@debian.org, t...@security.debian.org > Control: affects -1 + src:7zip > > [ Reason ] > 1. Fix security issue > CVE-2023-31102: https://www.zerodayinitiative.com/advisories/ZDI-23-1165/ > CVE-2023-40481: https://www.zerodayinitiative.com/advisories/ZDI-23-1164/ > > 2. Use 7zip-rar package for RAR archives. >7zip-rar requires 7zip >= 22.01-9 What are the isolated fixes for CVE-2023-40481 and CVE-2023-31102, is there some kind of public upstream VCS or can you ask upstream about it? Cheers, Moritz
