p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow

Debian Bug report logs - #888297
p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gregor Riepl <onitake@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: p7zip: Multiple Memory Corruptions via RAR and ZIP

Date: Wed, 24 Jan 2018 19:45:30 +0100

Package: p7zip
Version: 16.02+dfsg-4
Severity: grave
Tags: upstream newcomer security
Justification: user security hole

Dear Maintainer,

p7zip, p7zip-full and the non-free component p7zip-rar are affected by two
vulnerabilities:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-
zip/?hn

In particular, the RAR3 and LZW algorithm implementations are susceptible to
memory corruption and may compromise a system through specially crafted
archives.

These issues have already been fixed upstream, and a new version of p7zip
(18.0) is available.

Please update all p7zip* packages to their latest versions as soon as possible.

Thank you.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (900, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages p7zip depends on:
ii  libc6       2.26-2
ii  libgcc1     1:7.2.0-19
ii  libstdc++6  7.2.0-19

p7zip recommends no packages.

Versions of packages p7zip suggests:
ii  p7zip-full  16.02+dfsg-4

-- no debconf information

Message #10 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Gregor Riepl <onitake@gmail.com>, 888297@bugs.debian.org

Subject: Re: Bug#888297: p7zip: Multiple Memory Corruptions via RAR and ZIP

Date: Wed, 24 Jan 2018 22:35:48 +0100

Control: tags -1 - newcomer
Control: clone -1 -2
Control: retitle -1 p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow
Control: reassign -2 p7zip-rar
Control: retitle -2 p7zip-rar: CVE-2018-5996: Memory Corruptions via RAR PPMd

Hi

On Wed, Jan 24, 2018 at 07:45:30PM +0100, Gregor Riepl wrote:
> Package: p7zip
> Version: 16.02+dfsg-4
> Severity: grave
> Tags: upstream newcomer security
> Justification: user security hole
> 
> Dear Maintainer,
> 
> p7zip, p7zip-full and the non-free component p7zip-rar are affected by two
> vulnerabilities:
> https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-
> zip/?hn

Since they are in two different source packages let's actually create
two bugs.

Regards,
Salvatore

Message #21 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Gregor Riepl <onitake@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 888297@bugs.debian.org

Subject: Re: Bug#888297: p7zip: Multiple Memory Corruptions via RAR and ZIP

Date: Thu, 25 Jan 2018 08:15:57 +0100

> Since they are in two different source packages let's actually create
> two bugs.

Ah, I hadn't noticed that.

Thanks for splitting and retagging.

Message #28 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 888297@bugs.debian.org, Gregor Riepl <onitake@gmail.com>

Subject: Re: p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow

Date: Fri, 26 Jan 2018 16:10:54 -0500

[Message part 1 (text/plain, inline)]

Control: tags -1 +patch

Since a fix was published in upstream 18.00-beta, I looked at the source
there and was able to produce a simple patch for wheezy, which should be
trivial to port to jessie and easy to port to stretch:

https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/c296/attachment/CVE-2017-17969.patch

Attached as well.

Looks good?

A.

[CVE-2017-17969.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 888297-close@bugs.debian.org (full text, mbox, reply):

From: Robert Luberda <robert@debian.org>

To: 888297-close@bugs.debian.org

Subject: Bug#888297: fixed in p7zip 16.02+dfsg-5

Date: Sun, 28 Jan 2018 23:05:22 +0000

Source: p7zip
Source-Version: 16.02+dfsg-5

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888297@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 Jan 2018 23:32:37 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source amd64
Version: 16.02+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
 p7zip      - 7zr file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Closes: 873943 888297
Changes:
 p7zip (16.02+dfsg-5) unstable; urgency=medium
 .
   * Hopefully fix ZIP Shrink: Heap Buffer Overflow (CVE-2017-17969). Thanks
     to Antoine Beaupré for the initial patch, based on upstream changes in
     7Zip 18.00.beta (closes: #888297).
   * Fix `deprecated use of operator++ on bool variable' g++ warning.
   * Fix a typo in man page introduced in 09-man-update.patch
     (closes: #873943).
   * Bump debhelper's compat level to 11.
   * Use 'https' URL in debian/watch (lintian).
   * Standards-Version: 4.1.3.
Checksums-Sha1:
 95f55ff57950d40b5dd190d76f83d68539383204 1928 p7zip_16.02+dfsg-5.dsc
 54ae48c522799c4d484b00866758cc14e26f6c99 21384 p7zip_16.02+dfsg-5.debian.tar.xz
 f6b0d83695d1912a268403754b0ba00aeb6306ca 2437776 p7zip-dbgsym_16.02+dfsg-5_amd64.deb
 e13cdcf5f9b3e47f7ac1485fed529ac2774e9106 11096596 p7zip-full-dbgsym_16.02+dfsg-5_amd64.deb
 584a16945fd49aecabce11a3998074153a8efa5d 1164032 p7zip-full_16.02+dfsg-5_amd64.deb
 816c802a2d9d447ab2aaad720a423ad02e56e01f 6272 p7zip_16.02+dfsg-5_amd64.buildinfo
 25f3bd34444a251e3eb37098d1daff091c7c6bd7 376188 p7zip_16.02+dfsg-5_amd64.deb
Checksums-Sha256:
 c9b63380c9d3dba46e0bdf9633c7dd45f486e21e6dae2375ff98551dd1c5e4d5 1928 p7zip_16.02+dfsg-5.dsc
 b5a0775fa2fe2e95dd0f3264b92bfc0b67e8f264fb813a53d4f36a0709c14227 21384 p7zip_16.02+dfsg-5.debian.tar.xz
 efe1ea1aaee735f92deb19fc00ac08e6691331f48671cd41dcc6c7a5f74fcc00 2437776 p7zip-dbgsym_16.02+dfsg-5_amd64.deb
 7c31f90e83487d17af085b75c1dbf510738aaea38f881b742f20a4ae0b08c2c2 11096596 p7zip-full-dbgsym_16.02+dfsg-5_amd64.deb
 04fdc03b4d5642638792622a61f4ac52de2864284f0347369af100a24be6e600 1164032 p7zip-full_16.02+dfsg-5_amd64.deb
 a984cfa732433cc0e0b5997dcf79469b027b956f6cb80db0fdaf1245b1817a73 6272 p7zip_16.02+dfsg-5_amd64.buildinfo
 2b8765c641aea0ff48abef0fde953f637c6a0035e747d95a2c17bc774337238f 376188 p7zip_16.02+dfsg-5_amd64.deb
Files:
 082b80a120936171836700100fcf64e8 1928 utils optional p7zip_16.02+dfsg-5.dsc
 91b9461f6dd2820a31bcad2fdce647fe 21384 utils optional p7zip_16.02+dfsg-5.debian.tar.xz
 169b6e699696756121c5f9eab8b6e992 2437776 debug optional p7zip-dbgsym_16.02+dfsg-5_amd64.deb
 ed4e066bebaa577efa3ed8aadb456636 11096596 debug optional p7zip-full-dbgsym_16.02+dfsg-5_amd64.deb
 42abcf18ca689ee87b3fbf6ca96b66f1 1164032 utils optional p7zip-full_16.02+dfsg-5_amd64.deb
 37cd7ead67201c3c3b1a4d27d55ae035 6272 utils optional p7zip_16.02+dfsg-5_amd64.buildinfo
 e3b2027017c63535fd54e65a7bc5c33b 376188 utils optional p7zip_16.02+dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENeh4+rTTcy6TtNI3Yx3nVTvor9QFAlpuUDIACgkQYx3nVTvo
r9Tthw//XRiiHj7ZojWiqsbc9vOPacNLQ6mQI3+nv8LfCIajG4SkVnhs3YPFBQx7
FoIucxzUmJipZ2qDDkn9QxZ08VYNbWV8mYFcEpe/TjS6H0BTUV73puvnM1+JvDao
N1ycaomr5cv8U5NTr+1QxBppUDLuLjvpC3qZ06QBQIoOSRnwHBBxd3ApAGz49Yy3
7buVbK/8uBJkelEmM8nVsrZN88dXtDY9w0mOtmi0uzMtDe65UFxef89tBJQk3gyd
L2wmL9xElY3YFfATzEoEHz4/3ss/bY0UgYRzjB0zPBUOY8Q+4+g4XzYleHQofwyC
HMwEq9WOrkro59gCF0JGJ/U9s11kiYmQauP69FpqDdf3D1wQCaG5xRc2hNT26hN8
61zU1k7m8SHJOx+BXOQ16njPoJVR5lhJJldzpooEFiwKpA0gFa643sxYz7pHa6Ob
zaKzNhhMBpQUIqL+WVZSUa3TdHfk5NjywpDdSl3ISSXzRNvG24xN63sz0JKG+8PG
jmAKAW+2QiMCvmaChuMHlComSXxxQcujzwcHJROHxSJh4Jbq3OV1tjX3m12BYf4b
B3175cVgVdoiOdbBWDBiD+ujQvudp3+w7UHg+meyyTLSt+mNTz10/qBm9ggi1L8H
Tf2wcZiyO9NtAHoCMqeVucxXPYISvo6+3cl/Udf0b19Nyx1kr7I=
=esMA
-----END PGP SIGNATURE-----

Message #40 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 888297@bugs.debian.org

Subject: Re: Bug#888297: p7zip: Multiple Memory Corruptions via RAR and ZIP

Date: Mon, 29 Jan 2018 22:18:34 +0100

[Message part 1 (text/plain, inline)]

Attaching the used patch for reference.

Regards,
Salvatore

[13-CVE-2017-17969.patch (text/x-diff, attachment)]

Message #45 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: 888297@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, Gregor Riepl <onitake@gmail.com>

Subject: Re: Bug#888297: p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow

Date: Thu, 1 Feb 2018 11:04:35 -0500

[Message part 1 (text/plain, inline)]

On Fri, Jan 26, 2018 at 04:10:54PM -0500, Antoine Beaupre wrote:
> Control: tags -1 +patch
> 
> Since a fix was published in upstream 18.00-beta, I looked at the source
> there and was able to produce a simple patch for wheezy, which should be
> trivial to port to jessie and easy to port to stretch:
> 
> https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/c296/attachment/CVE-2017-17969.patch
> 
> Attached as well.
> 
> Looks good?

It does not, at all, look good: that doesn't even compile...

I've submitted a new patch upstream:

https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#2de7

And will leave the discussion happening there.

This one builds, at least, and as far as I can tell, doesn't introduce
regressions in the normal code paths that I could test. I've asked the
original researcher for a reproducer to see if this fixes the issue as
well, so I'll wait a little longer for feedback before issuing an
advisory on that one.

A.

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 888297@bugs.debian.org, Robert Luberda <robert@debian.org>

Cc: Gregor Riepl <onitake@gmail.com>, anarcat@debian.org

Subject: Re: Bug#888297 closed by Robert Luberda <robert@debian.org> (Bug#888297: fixed in p7zip 16.02+dfsg-5)

Date: Fri, 2 Feb 2018 10:46:12 +0100

Hi Robert,

On Sun, Jan 28, 2018 at 11:09:09PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the p7zip package:
> 
> #888297: p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow
[...]
>    * Hopefully fix ZIP Shrink: Heap Buffer Overflow (CVE-2017-17969). Thanks
>      to Antoine Beaupré for the initial patch, based on upstream changes in
>      7Zip 18.00.beta (closes: #888297).

It looks the upload for unstable contained a backport of an earlier
variant. Can you update to the most recent iteration as posted in
https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7 ?

The check for cur against kNumItems is missing, not sure this can
cause any further problem.

Regards,
Salvatore

Message #55 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 888297@bugs.debian.org, Robert Luberda <robert@debian.org>

Cc: Gregor Riepl <onitake@gmail.com>

Subject: Re: Bug#888297 closed by Robert Luberda <robert@debian.org> (Bug#888297: fixed in p7zip 16.02+dfsg-5)

Date: Fri, 02 Feb 2018 10:17:37 -0500

On 2018-02-02 10:46:12, Salvatore Bonaccorso wrote:
> Hi Robert,
>
> On Sun, Jan 28, 2018 at 11:09:09PM +0000, Debian Bug Tracking System wrote:
>> This is an automatic notification regarding your Bug report
>> which was filed against the p7zip package:
>> 
>> #888297: p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow
> [...]
>>    * Hopefully fix ZIP Shrink: Heap Buffer Overflow (CVE-2017-17969). Thanks
>>      to Antoine Beaupré for the initial patch, based on upstream changes in
>>      7Zip 18.00.beta (closes: #888297).
>
> It looks the upload for unstable contained a backport of an earlier
> variant. Can you update to the most recent iteration as posted in
> https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7 ?
>
> The check for cur against kNumItems is missing, not sure this can
> cause any further problem.

I concur: the original researcher explicitly sent me a patch that checks
the `cur` counter as well.

A.

-- 
The true revolutionary is guided by a great feeling of love.
                        - Ernesto "Che" Guevara

Message #62 received at 888297@bugs.debian.org (full text, mbox, reply):

From: Robert Luberda <robert@debian.org>

To: Antoine Beaupré <anarcat@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, 888297@bugs.debian.org

Cc: Gregor Riepl <onitake@gmail.com>

Subject: Re: Bug#888297 closed by Robert Luberda <robert@debian.org> (Bug#888297: fixed in p7zip 16.02+dfsg-5)

Date: Mon, 5 Feb 2018 20:44:49 +0100

Antoine Beaupré writes:

Hi,

>> The check for cur against kNumItems is missing, not sure this can
>> cause any further problem.
> 
> I concur: the original researcher explicitly sent me a patch that checks
> the `cur` counter as well.

Thanks, I'm just uploading -6 with updated patch.

Regards,
robert

Message #67 received at 888297-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 888297-close@bugs.debian.org

Subject: Bug#888297: fixed in p7zip 16.02+dfsg-3+deb9u1

Date: Fri, 09 Feb 2018 23:47:13 +0000

Source: p7zip
Source-Version: 16.02+dfsg-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888297@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 02 Feb 2018 11:11:41 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source
Version: 16.02+dfsg-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 888297
Description: 
 p7zip      - 7zr file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Changes:
 p7zip (16.02+dfsg-3+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp
     (CVE-2017-17969)
     Thanks to Antoine Beaupré (Closes: #888297)
Checksums-Sha1: 
 d9be5730246a2a126a5a629b52329bbd03cea6f3 2110 p7zip_16.02+dfsg-3+deb9u1.dsc
 0894bd217b25e90edd42bc47ea0edf8c6a324005 3611764 p7zip_16.02+dfsg.orig.tar.xz
 8b0da7503dffe82e6f50cfaf1a4f1021d1fc2cf2 21008 p7zip_16.02+dfsg-3+deb9u1.debian.tar.xz
Checksums-Sha256: 
 d895c5fc94d46dd9390e925d0d687010fadc198e01624f5d620a7fcca5187e11 2110 p7zip_16.02+dfsg-3+deb9u1.dsc
 50adee7a4259e3492d8b68dfd12bda0ed27e615193a16f10af296f23dc831b14 3611764 p7zip_16.02+dfsg.orig.tar.xz
 4d0f8fe6ccef505212a77611457257b378982224f097b4c5caefe09687186d16 21008 p7zip_16.02+dfsg-3+deb9u1.debian.tar.xz
Files: 
 87c3d4d312607500e5fc987b789cf75d 2110 utils optional p7zip_16.02+dfsg-3+deb9u1.dsc
 95a6a79c62a84fee541f99f763b81c31 3611764 utils optional p7zip_16.02+dfsg.orig.tar.xz
 e6b42a74a1f22ff42197e7ccd9893d05 21008 utils optional p7zip_16.02+dfsg-3+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp026xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EF+cP/RHZH/IbnJxc7G/rI6a9EP0iK8csJBHq
/mmohvLn90yNF2gMT4bsk0Ag2vc4wgsMUlsPGJ8iwwvXQmHSN5zgFaTvOVnRiTk0
sOETH5ZJf7u4ZcodTKKG1rlmjH99d5+CLesbJvE6WtJMOG2sOG8f9D7TXi9/lyAz
vZRd0YBKynGCENIjfqIQvuA66bfDBY4/v13PQfqYq8gqlMDkioadklvspHq/IWSB
Rd+z60lby3f6p0hgEnftoK/ntC3R0xrc8j1ZURBU2C1402o+JrVg+KISXujmdaEE
m/90eLKWGMRugK0Q56dBQckAeh4BZko3J2AxmWR0ovwGQES6yOMY4SjgE7yrNEU+
YZcXCcb2uDhsY8vR9YCtAjgkBmY0nDWObtTQcLHzWtpcBJ/sKra4a/06tMONTEEa
bh6vLPb+jIJ+c/kT1e2ehsDYI1HY2aZKnJ64iDdZXo8nA2Ckuee/Hay75wut4c3e
h8Y989EhnYlfRBx9BqMa7B4XF8UmoeebZMsiMqrGEKA7hylutjeYjX52V3rO6urt
dKxVTkKdNld2AumjI9izkpx9ZlLSfccyqUcprwej913pMWZw1eVxu0wB4AWA6kjL
DBNQn5My4DgMtzBU1SaoUmuQd80y0/7ruSzb4vkKnejYZUQEymrD/KlrLlpZXNQb
7wVldstHiNEz
=bo+q
-----END PGP SIGNATURE-----

Message #72 received at 888297-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 888297-close@bugs.debian.org

Subject: Bug#888297: fixed in p7zip 9.20.1~dfsg.1-4.1+deb8u3

Date: Sat, 10 Feb 2018 21:08:24 +0000

Source: p7zip
Source-Version: 9.20.1~dfsg.1-4.1+deb8u3

We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888297@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated p7zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 02 Feb 2018 10:53:50 +0100
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source
Version: 9.20.1~dfsg.1-4.1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 888297
Description: 
 p7zip      - 7z file archiver with high compression ratio
 p7zip-full - 7z and 7za file archivers with high compression ratio
Changes:
 p7zip (9.20.1~dfsg.1-4.1+deb8u3) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp
     (CVE-2017-17969)
     Thanks to Antoine Beaupré (Closes: #888297)
Checksums-Sha1: 
 9c493de88a80d8e9f81142daac50e5e3e38251d5 1994 p7zip_9.20.1~dfsg.1-4.1+deb8u3.dsc
 c0534a10d8f22baecf290d4eb849584299b77091 16741 p7zip_9.20.1~dfsg.1-4.1+deb8u3.diff.gz
Checksums-Sha256: 
 86a29c87d0f780bf6ceadc6fb21feca68d8d288277f17acb97277df3918d17df 1994 p7zip_9.20.1~dfsg.1-4.1+deb8u3.dsc
 3d1b17f8492a082108bd6eb009cf912a960a1ee9c02f57be74c53364aa5db90e 16741 p7zip_9.20.1~dfsg.1-4.1+deb8u3.diff.gz
Files: 
 51317e1270cdd9df814415474c8d23b7 1994 utils optional p7zip_9.20.1~dfsg.1-4.1+deb8u3.dsc
 71b3f7a001a6f820cc7de82c3d91f1d5 16741 utils optional p7zip_9.20.1~dfsg.1-4.1+deb8u3.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp008dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EgFkP/1ZAmi3kNox6OqhhDhZUxB9vQe/rccup
nh4dfqqnDjDboY246ZkVn7y7II93qJ3RY0UtxarPcgveNpcvDTZ6/2PSsP8k84tp
hBGfSTorJipqPdiXndaFB26VDM/qakrSPuDQnt1Z8qkGWUf8/WA0W02JP3lIP/HZ
1x04PP739zvxYTxU12Cf6pnctP2w8E+Dd/NyKQiwTG+3HQxsWccH2JMKfmcL1DcY
3WB2IwiidD9NEFxKSasjQzOHf2U6NOv1/eAS4n7kEgV3HFSNqrQ7gy3fn3VinKL3
GxXORY9f3hy5ukqPtgOSQm7MKrZ7q8mlJmQxj8iV2I6JKwAMu9vsSaIp/0dI2SqJ
xfrCHKZV4SM3Mg4ACVE2Mgp3/SgTY+j1hlmALd6pzsxsw5WwKp1Dl+Pu/DtfrlHb
IjY6CCYUhOPW9GRP6CtN0I9TE+YEJpKi/0oNqjKWHMxl0uuPyrWyAnZXKw7cXLpE
UWtD1CRiQJIErDmduK37dLp+lhMNnbdO4kkYbqi1yYj6p7KmFfv0c2HEmoaON0xq
RiNx8r92T4bD8qWPYAZWvY3Qv5a+j3eFvm1JPReW3plzz/T8P3of3DNe6ABnO0h+
Z3rnYjv72wfA42wmfpB8D5rhYbp5FJ4h4LQ3ToFYgq6slYD/7UncjrZYUL6C/GCt
JKaimbj2TdOU
=jx6o
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.