p7zip: CVE-2015-1038: Directory traversal through symlinks

Debian Bug report logs - #774660
p7zip: CVE-2015-1038: Directory traversal through symlinks

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Cherepanov <cherepan@mccme.ru>

To: submit@bugs.debian.org

Subject: Directory traversal through symlinks

Date: Mon, 05 Jan 2015 23:21:36 +0300

Package: p7zip-full
Version: 9.20.1~dfsg.1-4
Tags: security

7z (and 7zr) is susceptible to a directory traversal vulnerability. 
While extracting an archive, it will extract symlinks and then follow 
them if they are referenced in further entries. This can be exploited by 
a rogue archive to write files outside the current directory.

Example:

1) create a sample archive:

ln -s /tmp dir
7z a test.7z dir
rm dir
mkdir dir
echo hello > dir/file
7z a test.7z dir/file
rm -r dir

2) test it:

7z x test.7z

This will create a symlink "dir" in the current directory and a file 
"/tmp/file".

This can also be exploited through zip, arj and maybe other archives.

-- 
Alexander Cherepanov

Message #14 received at 774660@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Mohammed Adnène Trojette <adn+deb@diwi.org>

Cc: debian-lts@lists.debian.org, 774660@bugs.debian.org

Subject: squeeze update of p7zip?

Date: Tue, 24 Feb 2015 18:15:38 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of p7zip:
https://security-tracker.debian.org/tracker/CVE-2015-1038

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #19 received at 774660@bugs.debian.org (full text, mbox, reply):

From: Mohammed Adnène Trojette <adn+deb@diwi.org>

To: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org, 774660@bugs.debian.org

Subject: Re: squeeze update of p7zip?

Date: Tue, 24 Feb 2015 21:16:42 +0100

On Tue, Feb 24, 2015, Raphael Hertzog wrote:
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

Bonsoir Raphael and LTS team,

I guess I'd rather let you do what is best with the package.
I am a bit rusty and may be orphaning the package soon, actually.

Thanks for all you are doing and for the kind mail.

Best regards,
-- 
Adnène

Message #24 received at 774660@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Mohammed Adnène Trojette <adn+deb@diwi.org>

Cc: 774660@bugs.debian.org

Subject: Re: [Alexander Cherepanov <cherepan@mccme.ru>] Bug#774660: Directory traversal through symlinks

Date: Wed, 25 Mar 2015 15:12:02 +0100

On Thu, Feb 19, 2015 at 11:08:43PM +0100, Mohammed Adnène Trojette wrote:
> tags 774660 + upstream forwarded
> thanks
> 
> Hi!
> 
> The bug mentioned below was reported to Debian.

Did you receive a reply from upstream?

Cheers,
        Moritz

Message #29 received at 774660@bugs.debian.org (full text, mbox, reply):

From: Mohammed Adnène TROJETTE <adn@diwi.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, Mohammed Adnène Trojette <adn+deb@diwi.org>

Cc: 774660@bugs.debian.org

Subject: Re: [Alexander Cherepanov <cherepan@mccme.ru>] Bug#774660: Directory traversal through symlinks

Date: Wed, 25 Mar 2015 15:55:21 +0100

Unfortunately no reply at all :-/

-- 
Adnène



Le 25/03/2015 15:12, Moritz Muehlenhoff a écrit :
> On Thu, Feb 19, 2015 at 11:08:43PM +0100, Mohammed Adnène Trojette wrote:
>> tags 774660 + upstream forwarded
>> thanks
>>
>> Hi!
>>
>> The bug mentioned below was reported to Debian.
> Did you receive a reply from upstream?
>
> Cheers,
>          Moritz
>

Message #34 received at 774660@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 774660-submitter@bugs.debian.org

Cc: 774660@bugs.debian.org

Subject: Re: p7zip: CVE-2015-1038: Directory traversal through symlinks

Date: Mon, 01 Jun 2015 00:28:15 +0100

[Message part 1 (text/plain, inline)]

Control: severity -1 important
Control: tag -1 patch

This fixes the given test case, but I can't be certain that it fixes all
possible attacks using symlinks.  It might be posible to defeat this by
using duplicate entries for the same name in the same 7zip file
including negative (deletion).  I wanted to test that by modifying 7zip
to create duplicate entries, but did not succeed.

Ben.

-- 
Ben Hutchings
Power corrupts.  Absolute power is kind of neat.
                           - John Lehman, Secretary of the US Navy 1981-1987

[CVE-2015-1038.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 774660@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 774660@bugs.debian.org

Subject: Patch for squeeze LTS

Date: Mon, 01 Jun 2015 00:33:28 +0100

[Message part 1 (text/plain, inline)]

Here's the version for squeeze LTS (just some context changes).  I'd
appreciate a review before I upload it.

Ben.

-- 
Ben Hutchings
Power corrupts.  Absolute power is kind of neat.
                           - John Lehman, Secretary of the US Navy 1981-1987

[CVE-2015-1038-squeeze.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #51 received at 774660@bugs.debian.org (full text, mbox, reply):

From: Mohammed Adnène TROJETTE <adn@diwi.org>

To: Ben Hutchings <ben@decadent.org.uk>, 774660@bugs.debian.org

Subject: Re: Bug#774660: Patch for squeeze LTS

Date: Mon, 01 Jun 2015 15:42:13 +0200

Le 2015-06-01 01:33, Ben Hutchings a écrit :
> Here's the version for squeeze LTS (just some context changes).  I'd
> appreciate a review before I upload it.

Dear Ben,

Sorry, I won't be able to review your patch (sadly, I intend to orphan 
p7zip).

Thanks for taking action.

-- 
Mohammed Adnène TROJETTE

Message #58 received at 774660-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 774660-close@bugs.debian.org

Subject: Bug#774660: fixed in p7zip 9.20.1~dfsg.1-4.2

Date: Sun, 14 Jun 2015 16:13:25 +0000

Source: p7zip
Source-Version: 9.20.1~dfsg.1-4.2

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 May 2015 23:45:58 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source
Version: 9.20.1~dfsg.1-4.2
Distribution: unstable
Urgency: medium
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 p7zip      - 7z file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Closes: 774660
Changes:
 p7zip (9.20.1~dfsg.1-4.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038)
     (Closes: #774660)
Checksums-Sha1:
 d3e0c3cdb6ad4b60f26160529c5bfb0bd3e788b2 1789 p7zip_9.20.1~dfsg.1-4.2.dsc
 48c86a0dccf31ed19faf950c57dcecfa550c74a6 15714 p7zip_9.20.1~dfsg.1-4.2.diff.gz
Checksums-Sha256:
 40da57d0be31cc2ee9e7afb06e4ce2fb4537dec947c2b915fd187dd41c721d01 1789 p7zip_9.20.1~dfsg.1-4.2.dsc
 5c0dac6d77efa906cf65c612a2cd2b113686d06b418e286e046df1448aa6342b 15714 p7zip_9.20.1~dfsg.1-4.2.diff.gz
Files:
 ce59779f7af76466405359f6f18e27d4 1789 utils optional p7zip_9.20.1~dfsg.1-4.2.dsc
 6dd02ceb3521b8bb7be564c522821c06 15714 utils optional p7zip_9.20.1~dfsg.1-4.2.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVX2jPee/yOyVhhEJAQrnGQ/+MqwI7slHijvftpvzf9lW0WKV/qcv2hCE
U4UMZxLgo0BQOTmfOnufLtyhzTSz2sTusDDcnxOQA6O8Y8y2OOh4+qPJoDJjZJQY
XtYWScPOAELRC7+kC5Ufx1slEeH6izt9Ds/IvhwctXSBAzBLxDTXKiuPJJw5EvPN
pTLyi+ZWDmHxwbFyBBPxbhvHSVlRbvGaB3tbdj/UnMuNvCPHr14Xp4rWgovCDkBH
dbTusn/G5nZaTrvu+7uEOCsdTkqCwh5ULMrk7jlmTymAwt05sVoYUGKVFAZpwnGI
g4bKxhCvBKpGy4mCeIl9XqaGR8LOgmxg7njJnOjic1yZ1vMv0uOP7DnUk08VCYQZ
KhyxHNFBUyKQSnoTYscSrxosOG2r0JoBC0Rl18tG4yHP6g1EykR+NfDm9l6u+lWK
0x0ebiIP9GfwnqwUeLz+e7+J4e+gFRr8qrfs+q4cNhiZ0qXPFegsoWtRe8m+fTv8
EvzGNKn9t2Ci0NzVOw9DPyEufIfAZKYbxAGf5WYnP/Smnk3ClRQ+wAzpibZeoFzv
3yuSo9UGNgww+fjadkY/oStXN4oeJlBoZ/5XCrIbU+CXhDE7j3ZID2QjQeWlEqoM
N8D7wceeTZW8X05G3Uu5zFQLOb9PQ8b60NqiZiEHvVW94rEqttWllP3qxvg1Ir6H
KvHztueyM2Y=
=MqOg
-----END PGP SIGNATURE-----

Message #63 received at 774660-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 774660-close@bugs.debian.org

Subject: Bug#774660: fixed in p7zip 9.04~dfsg.1-1+deb6u1

Date: Sun, 14 Jun 2015 16:58:37 +0000

Source: p7zip
Source-Version: 9.04~dfsg.1-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 14 Jun 2015 17:35:20 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: amd64 source
Version: 9.04~dfsg.1-1+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Closes: 774660
Description: 
 p7zip      - 7zr file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Changes: 
 p7zip (9.04~dfsg.1-1+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Squeeze LTS team
   * Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038)
     (Closes: #774660)
Checksums-Sha1: 
 bf34d5292a0f8ca075f56dd9c649fe7106d00134 1687 p7zip_9.04~dfsg.1-1+deb6u1.dsc
 2a09aac6372026834fb89f65d74663c48a4c3517 12915 p7zip_9.04~dfsg.1-1+deb6u1.diff.gz
 5d6368ea678223bb7860d2783022d73d3a15f270 366746 p7zip_9.04~dfsg.1-1+deb6u1_amd64.deb
 ef0a47ba974fb6701b75fa4c6e2a39767a6067b8 1424138 p7zip-full_9.04~dfsg.1-1+deb6u1_amd64.deb
Checksums-Sha256: 
 6d4b582f9a8b5aa3851548a98d021b084932f0b6559c0528eb6d50cdd625d587 1687 p7zip_9.04~dfsg.1-1+deb6u1.dsc
 8fd7f412d573cc2847d9359c4364a788c0441fd8c3fd5481a6cccfc4fe6a3a01 12915 p7zip_9.04~dfsg.1-1+deb6u1.diff.gz
 2b099e6c6b333cc07cce5bb64eef4bd894129f019577703431740558eeaa9cfc 366746 p7zip_9.04~dfsg.1-1+deb6u1_amd64.deb
 2e5691f1584ea5df2b14de5955fc3ba5357daeda49ec05a1006e161a588db0ea 1424138 p7zip-full_9.04~dfsg.1-1+deb6u1_amd64.deb
Files: 
 f2e598e58e40a0a2c65875aeabbb1f71 1687 utils optional p7zip_9.04~dfsg.1-1+deb6u1.dsc
 ccfc718bfc1c4080e39d5efbb41c4087 12915 utils optional p7zip_9.04~dfsg.1-1+deb6u1.diff.gz
 cc414d0c9e907f94946b2096e62ae78a 366746 utils optional p7zip_9.04~dfsg.1-1+deb6u1_amd64.deb
 08ce84bb3d9bbcea4603ebe6d41050dc 1424138 utils optional p7zip-full_9.04~dfsg.1-1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVX2vLOe/yOyVhhEJAQqQbhAAqgSo1/uenpJH3qfo8kQypQx2SUHTOZHK
1hjB/LFur+vlYLxWqROWXgZCQa7smYRJcOvRUF1hjYrohD+8dWjAvcN3d0WzQt0+
bKjY7PO0Gm0VUW2GAbT4XHE8ek7MESE5eaGt+skQFb/QoGjI4z5WUSOYxxyPXoQa
6Sbtg6Q3A8vHn2X4g2KfCZvdgoZqXPnIMpcU0CgyiUQj/K0zgXs4OGvlYnazESr9
7kZvmHNY5OnFe/odAk8RR4/po/xoEoYxEeJnZosLOKs8S2OYz93FYbg2SghKQzo0
ZDRBnGaXGL0r3mEiLpqmo8kXBy9YeRY+7GeawcgfheQTH6vZs2PjnT2J9NpOfL5y
FxpJFG64JrtyaXtFotDeOYgGV9W32wneiwE62QCtybHXa7njA3JJvgVfHOjmqrbx
U1KkSYOul1Q/gihvizKa9lko16niun0VcqI/eULnDWcqk4niw5cxalDemjGGEMcD
50VIc0WjZcgM22OeBqFrESnDE6CVdvHb/UeMs9+w8Z2yCQnetByMOKnEVq79Ju7U
m36c5Lax4p36Dy77SIhyAUBiA81anme+HxaX/k8PMiinhLZ77SiIxx8MiC/XubBX
WO+5i73bPqQkE08ZIRdltCHv2OXrkSID6exm2llli8NmVz+BnyM+1GT7IiNh4Okw
cT1Dm3JF/rA=
=Y8Ro
-----END PGP SIGNATURE-----

Message #70 received at 774660-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 774660-close@bugs.debian.org

Subject: Bug#774660: fixed in p7zip 9.20.1~dfsg.1-4.1+deb8u1

Date: Mon, 15 Jun 2015 22:17:07 +0000

Source: p7zip
Source-Version: 9.20.1~dfsg.1-4.1+deb8u1

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 May 2015 23:45:58 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source
Version: 9.20.1~dfsg.1-4.1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 p7zip      - 7z file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Closes: 774660
Changes:
 p7zip (9.20.1~dfsg.1-4.1+deb8u1) jessie-security; urgency=medium
 .
   * Non-maintainer upload.
   * Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038)
     (Closes: #774660)
Checksums-Sha1:
 35c007b82964cd55906b07a0ab238f2aba8f437e 1817 p7zip_9.20.1~dfsg.1-4.1+deb8u1.dsc
 87d6e1cb3134c9f3ee10636c181a5f71dde880e2 4215388 p7zip_9.20.1~dfsg.1.orig.tar.gz
 0aa83cb7ee78121bbc71be1559bb47ab11d1ba32 15736 p7zip_9.20.1~dfsg.1-4.1+deb8u1.diff.gz
Checksums-Sha256:
 8608b257a7bbde6205043cc5e26f3b3b8930314b9e437d7f5040d484da008af6 1817 p7zip_9.20.1~dfsg.1-4.1+deb8u1.dsc
 dce1270d14ebb65dbb622e423f93979460bb5bacee9d23ac0610d35184c3ca9c 4215388 p7zip_9.20.1~dfsg.1.orig.tar.gz
 2ec50737a8bfe12323e4b4815bd397a7b2071cc733f4a01763a22cf0e3fdec46 15736 p7zip_9.20.1~dfsg.1-4.1+deb8u1.diff.gz
Files:
 5b38f032f4434a6872a09c7af2772990 1817 utils optional p7zip_9.20.1~dfsg.1-4.1+deb8u1.dsc
 da9d3bbd69ff98c4d241c4493acd065d 4215388 utils optional p7zip_9.20.1~dfsg.1.orig.tar.gz
 57bd3023e0ca2c5935ae7087959bd499 15736 utils optional p7zip_9.20.1~dfsg.1-4.1+deb8u1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVX2kSOe/yOyVhhEJAQqCEw//aXXNDs4I5cDkM77yUcbIu+Xj7WK/WAKk
Y7BWYoXiYsdYoeYzInGgkrJGeyZeWyTHw8wj7Ik4JsHitpZA3T5o4QAUDO3+iOGD
fTdUecjZZyPBgWn1DFb951T+J6Ilw0hhu95/OVaelrb2yYvFyegHmRZ2/kL9IYLK
w94WPE4pPC89bBn54H2bDJ508rcPM+MXXWoRlaMtesM0jKh4S/o4HZAVZ/Ab+kWH
Q96tFx5sxqIk/hDFL87C1JM/QwDVA8tWfzkmHwjlQoYyZjjOC9LnTiIQ02l1RZEB
LSYLy7ADLYn+EOu2gFjlXVrvp7JmkZni/O4Gh4p0PY0oHIxsO+OJ9s8/sLpNK600
eahrEnDk9RTROwRuohM9ifc/GMnIGUtcAvBXeICzU6GP15D7+MIR+easbJGFklsW
vXZywYkorbtTC7YjbsZn0ZhXLn+0LifiBObvriUaknS0AtjwzRGhee5sXHXBmwZn
aVoYD4pMSqV0S6EhrZfVQrFurOIm7V2Mwsj2t9KJdfZ23v4ePl4r0s6f5X/0154x
BdkPQIn94qlPO192UnVAFrNtCO0HWMvcDQl4yBpnj/h4aMN4oKlJWLi0RUmB6pI8
6+j1yIh6xGAINA8Z5VVKtSQ9QaIKa18fyKjnjKtIpaNXR0usAAREfMs6dcuSCGbx
l0oOOWAnOqo=
=JXwW
-----END PGP SIGNATURE-----

Message #75 received at 774660-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 774660-close@bugs.debian.org

Subject: Bug#774660: fixed in p7zip 9.20.1~dfsg.1-4+deb7u1

Date: Tue, 16 Jun 2015 22:03:44 +0000

Source: p7zip
Source-Version: 9.20.1~dfsg.1-4+deb7u1

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 14 Jun 2015 17:05:53 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source
Version: 9.20.1~dfsg.1-4+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 p7zip      - 7z file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Closes: 774660
Changes:
 p7zip (9.20.1~dfsg.1-4+deb7u1) wheezy-security; urgency=medium
 .
   * Non-maintainer upload.
   * Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038)
     (Closes: #774660)
Checksums-Sha1:
 444831dd0e68e813bb73df25eae9b941b1202f48 1857 p7zip_9.20.1~dfsg.1-4+deb7u1.dsc
 881b1788e99805fe9aa273b8db8f5a7ab51617dc 15723 p7zip_9.20.1~dfsg.1-4+deb7u1.diff.gz
Checksums-Sha256:
 9a84a9dbd4df5ed022c2646373b3bb34d6f82ca431137087e98257277b0e939f 1857 p7zip_9.20.1~dfsg.1-4+deb7u1.dsc
 6a8fb7a8bbf33c385f5c6066aaaa2fcadfc9ce3ee9329c73dbb5126d5e573d10 15723 p7zip_9.20.1~dfsg.1-4+deb7u1.diff.gz
Files:
 e81adb3c697655c2de310a944eb56da2 1857 utils optional p7zip_9.20.1~dfsg.1-4+deb7u1.dsc
 4607beb95a4e076516f4a37b82936f84 15723 utils optional p7zip_9.20.1~dfsg.1-4+deb7u1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVX2s3ee/yOyVhhEJAQqTThAAr5j7t08Uan4VYnXZr20cumyWAykdVZ5b
EHkfwRs9KY52BVj7zxCt8JrdZHOS6fq/keXe8gHr7woaptyJSxqu/7buiLzT23TB
YB+f9GYKwM0wKt86O+MkmSqgjk7LvCwlnJlc4Keg7vLv9IMFqh5mk/ZitwanBqx/
cy6lhuAX9HKv7zU2Rk3zpV/qRO/XxAoqcWeOR7SB9ZX6ZjxRPAV3Q7T5TJjCltue
KuYWsXWIbfMK8ovcL+9S5fO7Enjo++PEx8nYJ3DuxBueg7UPydWLAbKoDEKRudIg
xKHs3uTVvPznsyLvzn4+l5koARs3OeSHjM7XG2RDJ06jSvi0RQCpkO129QmpfUPe
J85S3X0LvOu/EkDecJCmKgNcW2MFkAVdbZ7KNCnBL9R7iApMU4cHEi88INIqm6JY
QOoMmtmq0JVIr9dVwjcHBTwME1RMdfM5cQWvMMQ/HkIjireBBKqoRb8tULkYfL74
DdjTXa6gnATShvWlaC0E8xMu+ZqjHwyClxr0pCcYK2s5RA0dshzG3ypKAZP1/eO4
ydHxmJ4m5wZoY/E+mHcNehoXjr3N/XOAiRkyrMg5N19CIvF6oxg+WFvoDuVmtq+d
h9z2OkmSqzqmtwBnmbPCn0k7iN8mwppeIhSc9R+MgtP4cAzHoNwrP+b71V/+MRMw
cAd6VzqJDLI=
=QI16
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.