[Secure-testing-team] Bug#888297: p7zip: Multiple Memory Corruptions via RAR and ZIP
Gregor Riepl
onitake at gmail.com
Wed Jan 24 18:45:30 UTC 2018
Package: p7zip
Version: 16.02+dfsg-4
Severity: grave
Tags: upstream newcomer security
Justification: user security hole
Dear Maintainer,
p7zip, p7zip-full and the non-free component p7zip-rar are affected by two
vulnerabilities:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-
zip/?hn
In particular, the RAR3 and LZW algorithm implementations are susceptible to
memory corruption and may compromise a system through specially crafted
archives.
These issues have already been fixed upstream, and a new version of p7zip
(18.0) is available.
Please update all p7zip* packages to their latest versions as soon as possible.
Thank you.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (900, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages p7zip depends on:
ii libc6 2.26-2
ii libgcc1 1:7.2.0-19
ii libstdc++6 7.2.0-19
p7zip recommends no packages.
Versions of packages p7zip suggests:
ii p7zip-full 16.02+dfsg-4
-- no debconf information
More information about the Secure-testing-team
mailing list