Debian Bug report logs -
#824160
p7zip: CVE-2016-2334 CVE-2016-2335
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 13 May 2016 05:06:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions p7zip/9.20.1~dfsg.1-4, p7zip/15.14.1+dfsg-1
Fixed in versions p7zip/15.14.1+dfsg-2, p7zip/9.20.1~dfsg.1-4.1+deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Robert Luberda <robert@debian.org>
:
Bug#824160
; Package src:p7zip
.
(Fri, 13 May 2016 05:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Robert Luberda <robert@debian.org>
.
(Fri, 13 May 2016 05:06:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: p7zip
Version: 15.14.1+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for p7zip.
CVE-2016-2334[0]:
Heap-buffer-overflow vulnerability
CVE-2016-2335[1]:
Out-of-bounds read vuilerability
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2334
[1] https://security-tracker.debian.org/tracker/CVE-2016-2335
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Robert Luberda <robert@debian.org>
:
Bug#824160
; Package src:p7zip
.
(Fri, 13 May 2016 05:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Robert Luberda <robert@debian.org>
.
(Fri, 13 May 2016 05:15:03 GMT) (full text, mbox, link).
Message #10 received at 824160@bugs.debian.org (full text, mbox, reply):
Hi Robert,
One note though on this bugreport. Can you check it actually affects
the port p7zip, and not only 7zip.
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Robert Luberda <robert@debian.org>
:
Bug#824160
; Package src:p7zip
.
(Fri, 13 May 2016 10:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Yuriy M. Kaminskiy" <yumkam@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Robert Luberda <robert@debian.org>
.
(Fri, 13 May 2016 10:09:03 GMT) (full text, mbox, link).
Message #15 received at 824160@bugs.debian.org (full text, mbox, reply):
> Can you check it actually affects [...]
According to http://www.talosintel.com/reports/* (as linked from
tracker), CVE-2016-2334 affects HFS+ parser and CVE-2016-2335 UDF parser.
Both are *not* part of platform specific code and thus should be part of
p7zip.
According to upstream changelog, both UDF and HFS+ parsers was added
before version 9.20.1 (in jessie and wheezy).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#824160
; Package src:p7zip
.
(Sun, 15 May 2016 09:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Robert Luberda <robert@debian.org>
:
Extra info received and forwarded to list.
(Sun, 15 May 2016 09:09:03 GMT) (full text, mbox, link).
Message #20 received at 824160@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Yuriy M. Kaminskiy pisze:
>> Can you check it actually affects [...]
>
> According to http://www.talosintel.com/reports/* (as linked from
> tracker), CVE-2016-2334 affects HFS+ parser and CVE-2016-2335 UDF
> parser.
I've found patches at [1]. Patch for CVE-2016-2335 applies clearly on
both 9.20 and 15.14. However the patch for CVE-2016-2334 can be
applied to 15.14 only. According to [2] "HFS support was improved" in
version 9.32 beta, so 9.20 might not be vulnerable to this issue.
Dear Talos Team,
Could you please confirm whether 9.20 is or is not vulnerable to
CVE-2016-2334?
Regards,
Robert
[1]
https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/?limit
=25#3933/23ee
[2] http://www.7-zip.org/history.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXODv1AAoJEGMd51U76K/U8YMQAI0LxsIhC3xEj7jlm3bjVhFs
mA/DLDYvf5ga1XhJDPOhxynnvwUDxpb7o1fGwTVcPH1iPQhUBCszgLbHvB2t/6HN
8Ksb5MiLPdb34CVbEqCIaVGeJBPVNpWZsIlD5dUWMdf0eY5KxLh+l3BHfH79daX6
YTYfXzO14DXMdl7WobWXUO9BRd8uzaVgUjbuyZc4pwTiEnDqEaMMa73gFEaFipdu
23FDURjca30ayYXBFSTqDhBog+L1QbC7vqA4DYPTzmtDbTijHcxuFQDcCUsVDsQb
cFPAeZYNtHpP4oD6dZGvVjH8ogAxyVR3Q5h48KlTeSmw/21sFzvuVtlUclBxOrui
gUqi6Yc2s7gRoQfLbknAO3AE6I6C5FhRl5GqxFGuhX3bSmShDwyQ38tAWgGb0tES
q8PyViTMs2FBW884vqWK250usCaizJthWjP1wJwxVXPkzMs2wPdiTsYTzhFHTeIr
Inv4LL7Z0bkNzHi7zTZ8bJnbOpcIGoOm7jyfwNSgSQysHpgMmFPcLG8R1+ZiRTjq
ewF3iJ/h+hqWH6BEL6UhhApLmuu6ekcGjps+ZcszgheiIQl5N0vuFYywfaTgvnkz
m0NRD89AlYkhJAa8PB1SiQkCz7JoVpyJuNO/6WmC6bk03/KaT8tSlQflH4na3wTg
UaaUFx8XWMcN1FUhDubb
=suAt
-----END PGP SIGNATURE-----
Reply sent
to Robert Luberda <robert@debian.org>
:
You have taken responsibility.
(Sun, 15 May 2016 10:27:32 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 15 May 2016 10:27:32 GMT) (full text, mbox, link).
Message #25 received at 824160-close@bugs.debian.org (full text, mbox, reply):
Source: p7zip
Source-Version: 15.14.1+dfsg-2
We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 824160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated p7zip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 15 May 2016 11:35:38 +0200
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source
Version: 15.14.1+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
p7zip - 7zr file archiver with high compression ratio
p7zip-full - 7z and 7za file archivers with high compression ratio
Closes: 824160
Changes:
p7zip (15.14.1+dfsg-2) unstable; urgency=high
.
* Fix the heap buffer overflow in HFS handler (CVE-2016-2334) and
out of bounds read in UDF handler (CVS-2016-2335) using patches from
https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/
(closes: #824160).
Checksums-Sha1:
d004ec56cae5cca9f643ff2379deaed93af317d7 1927 p7zip_15.14.1+dfsg-2.dsc
a8e69df94b49883e7d9315dd26198572399f51d0 21004 p7zip_15.14.1+dfsg-2.debian.tar.xz
Checksums-Sha256:
84600fc9d88a892927c54537b733538f7febf56f8a920b9bb685f904c236aa54 1927 p7zip_15.14.1+dfsg-2.dsc
f4db6803535fc30b6ae9db5aabfd9f57a851c6773d72073847ec5e3731b7af37 21004 p7zip_15.14.1+dfsg-2.debian.tar.xz
Files:
38568344189c39144558060339380c29 1927 utils optional p7zip_15.14.1+dfsg-2.dsc
a10894e90fa5bfa7be735bea18a952d5 21004 utils optional p7zip_15.14.1+dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXOEXzAAoJEGMd51U76K/UU2IP/0eLacomTe8dRmkSTgokvTCe
g5+iVrf3MLxU+FTY25b/FY7DvAsRGAgXMgz9mMXL1fGgCZ2WXwV9Hw/lGn6w07QW
O/0onQe6E3t282DejTYU5c5iESbAY8hHXinP8Cd6OCQb85bbAiF34Z8OKhQ7tLzQ
6JLYVQmBpFqm6OgS/OS1VcOsEv41Vs1eZENfl0v2qzp01sNhlPnbRjPvblnRZadm
Hm06qbH2ZLXpRARrFuJC1RC2WZGHWcnArRp+nweS/XO/pOey71PvVDOtKx3lu/GY
RmiQpAB1fNXmMLZotWPAgOIdXQhxH5EUi6B0+ur8lRylSkvXqojsAdmTpF0nOcwk
bcTpxg4CU+eOWBB2yc/mGYldXtpOFas49ohd8DBtUmcs2o7ly4RRC0uIYXu6rIFu
RaggtsgHGcwlxkVrxeSFx7bIXLQZIWqFzeJcpFGucgEKD4lmF3FKzRVF4ob7tThl
ooykNXwaf/fgXQ0BpxfFA0npwAJD3MqGnrn2nXi8CBvmgEU6o8a5IcIypMo11Put
4l7yYnNDwei3RqogIaDUMEmml0g3KOyqjIdB4hgybxhGK3Z4UkxnNBJkXPZI+VRS
zDUyZgb84lmGiQKtamX2NPPKbBrK4SQZ9n0gtyKZlmMTI0BlglJqd0W7/4ld34xX
pugsajvQfTkbeb8UvRy2
=qVMf
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Robert Luberda <robert@debian.org>
:
Bug#824160
; Package src:p7zip
.
(Sun, 15 May 2016 17:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Robert Luberda <robert@debian.org>
.
(Sun, 15 May 2016 17:45:03 GMT) (full text, mbox, link).
Message #30 received at 824160@bugs.debian.org (full text, mbox, reply):
HI Robert,
Thanks for the unstable fix.
On Sun, May 15, 2016 at 11:06:07AM +0200, Robert Luberda wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Yuriy M. Kaminskiy pisze:
> >> Can you check it actually affects [...]
> >
> > According to http://www.talosintel.com/reports/* (as linked from
> > tracker), CVE-2016-2334 affects HFS+ parser and CVE-2016-2335 UDF
> > parser.
>
> I've found patches at [1]. Patch for CVE-2016-2335 applies clearly on
> both 9.20 and 15.14. However the patch for CVE-2016-2334 can be
> applied to 15.14 only. According to [2] "HFS support was improved" in
> version 9.32 beta, so 9.20 might not be vulnerable to this issue.
>
> Dear Talos Team,
> Could you please confirm whether 9.20 is or is not vulnerable to
> CVE-2016-2334?
I think it is because the TALOS report says that 9.20 was tested as
well and found to be vulnerable. But an explicit confirmation would be
great.
Regards,
Salvatore
Marked as found in versions p7zip/9.20.1~dfsg.1-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 15 May 2016 17:45:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Thu, 09 Jun 2016 22:21:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 09 Jun 2016 22:21:17 GMT) (full text, mbox, link).
Message #37 received at 824160-close@bugs.debian.org (full text, mbox, reply):
Source: p7zip
Source-Version: 9.20.1~dfsg.1-4.1+deb8u2
We believe that the bug you reported is fixed in the latest version of
p7zip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 824160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated p7zip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Jun 2016 16:50:10 +0200
Source: p7zip
Binary: p7zip p7zip-full
Architecture: source
Version: 9.20.1~dfsg.1-4.1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 824160
Description:
p7zip - 7z file archiver with high compression ratio
p7zip-full - 7z and 7za file archivers with high compression ratio
Changes:
p7zip (9.20.1~dfsg.1-4.1+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-2335: UDF CInArchive::ReadFileItem code execution vulnerability
(Closes: #824160)
Checksums-Sha1:
1364dc25642b9f9a8eeab8032c11f093388c61d1 1825 p7zip_9.20.1~dfsg.1-4.1+deb8u2.dsc
c10983919213d9a7a63d8c194ecd4255e5675092 16213 p7zip_9.20.1~dfsg.1-4.1+deb8u2.diff.gz
Checksums-Sha256:
2ee6af4fed08a9f1fee8bb0915a8e2429d07802fe3c1fa0df0b4d57546d124e2 1825 p7zip_9.20.1~dfsg.1-4.1+deb8u2.dsc
72f96dc48d5ec84ee7ad83bde67e46684c640f3e84c0182dae914860d513a5bf 16213 p7zip_9.20.1~dfsg.1-4.1+deb8u2.diff.gz
Files:
ee03402a16d9eb141b9bf1d18326ad4a 1825 utils optional p7zip_9.20.1~dfsg.1-4.1+deb8u2.dsc
6921f103fa9b7ae461f576ee678520b0 16213 utils optional p7zip_9.20.1~dfsg.1-4.1+deb8u2.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXWDGXAAoJEAVMuPMTQ89E/YAP/i1Y1kZr9cbr8Bj4ujHnH5hO
ffnOAoelTu81RJY3XmrwMq+N5IDTAxPNiLu28MZrTCHk4SM01NJNYH2rcoA5jXrP
rA7/z4S+2Gaj8PgPU3XlvJQ+HfmY+hO1WRwABbdUFXoLNzfl6xLe0DqGPHdACwEw
Yb+Uj6dlsUQe7uAO1jIPFwMsWgJmL4GDbFYIrE3A4DQS/S364dM8YVhsd5wy9jXK
x97zb1iSGwQ2/flP/SVv0C3WB1nkMMTQFpcZUcThwYmPH4N7N+cPyixP8T8lr+je
sJxiFgS+AWtMqml9NWJ5y1ADOhJU2p9ikDAQ7TubfhZFnpEHOxUHgjm8koxnHc6D
IQe09sZyUzVYTiaG6kPUCOySgPkdUHVKWSv1II3pAkRbQBM5RsJIMINT6OQO+0bR
y4Bnw7PaV10NynJCXgh4TWmtX3EUTdV0pBiOKTOKwJV2sZNvGAsw7cHi5oiMRiPp
BP1WCy3ppHDA9RknghurbYy2kU62b5hbIW8/5zqtHwVnH14qnUSitnsqvxG3fIpA
wj6v4TDUx1d4bsZrsBeLJtUo8AJp7GcbZgUF1uFxLX3W/Mq3YfCyKrw8zh9cVTEL
MsyI4eXT55ty/zAWBbJ0pMk6ro2vC0RYxh9qfW+ZvUf/qMdtgR2LjSQnyBsKXk3H
doqbmvMFQDC90myZj2J4
=LoUv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 23 Sep 2016 07:28:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:44:47 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.