Debian Bug report logs -
#897674
p7zip-rar: CVE-2018-10115
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 4 May 2018 06:03:01 UTC
Severity: grave
Tags: security, upstream
Found in version p7zip-rar/16.02-1
Fixed in version p7zip-rar/16.02-3
Done: Robert Luberda <robert@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Robert Luberda <robert@debian.org>:
Bug#897674; Package src:p7zip-rar.
(Fri, 04 May 2018 06:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Robert Luberda <robert@debian.org>.
(Fri, 04 May 2018 06:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: p7zip-rar
Version: 16.02-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for p7zip-rar.
CVE-2018-10115[0]:
| Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03
| and before can lead to usage of uninitialized memory, allowing remote
| attackers to cause a denial of service (segmentation fault) or execute
| arbitrary code via a crafted RAR archive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10115
[1] https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
[2] https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Robert Luberda <robert@debian.org>:
You have taken responsibility.
(Wed, 30 May 2018 07:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 30 May 2018 07:39:03 GMT) (full text, mbox, link).
Message #10 received at 897674-close@bugs.debian.org (full text, mbox, reply):
Source: p7zip-rar
Source-Version: 16.02-3
We believe that the bug you reported is fixed in the latest version of
p7zip-rar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 897674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated p7zip-rar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 May 2018 09:04:26 +0200
Source: p7zip-rar
Binary: p7zip-rar
Architecture: source amd64
Version: 16.02-3
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
p7zip-rar - non-free rar module for p7zip
Closes: 897674
Changes:
p7zip-rar (16.02-3) unstable; urgency=medium
.
* Hopefully fix uninitialized memory access (CVE-2018-10115)
by applying changes described at
https://landave.io/files/patch_7zip_CVE-2018-10115.txt
(closes: #897674, LP: #1768984).
* debian/control:
+ switch VCS fields to salsa;
+ set Rules-Requires-Root to no;
+ Standards-Version: 4.1.4.
* debian/copyright: add a short comment explaining why this package
is non-free (lintian).
Checksums-Sha1:
3a7527532c7d6026afa817cf44f468cee7d7e598 1883 p7zip-rar_16.02-3.dsc
0c122e1378f0431b51c55ae08bd8871c0166e064 10148 p7zip-rar_16.02-3.debian.tar.xz
d0f162df290bfdfe6c7dcc1f8e586d6ee947728f 184220 p7zip-rar-dbgsym_16.02-3_amd64.deb
750e22eb33cb38e93b4693c3d3c9846ef6f6ddeb 5817 p7zip-rar_16.02-3_amd64.buildinfo
b863aa7717da2f397332ccf6ec7716ba4fb95c0a 57568 p7zip-rar_16.02-3_amd64.deb
Checksums-Sha256:
c49914f87dc3b8ec34853c006f0fb9c368865a53806d95b9c59dd02999923023 1883 p7zip-rar_16.02-3.dsc
fd8521bad02353bef892c6937edfa09b274d950583f90ac2cc71222763561f2b 10148 p7zip-rar_16.02-3.debian.tar.xz
7d09436960785ebf01ccc6f1597a2a60e971bffba27baa33cfbaf8eeb4229402 184220 p7zip-rar-dbgsym_16.02-3_amd64.deb
16da2c646cf43635a403e9f9ca70479d0cc159fc7fe57442bdd0ffc7e5602583 5817 p7zip-rar_16.02-3_amd64.buildinfo
9b2c9dab1651ec54b71a644a8d228f7c0bab20e205162731a1beb9e5d0685e0c 57568 p7zip-rar_16.02-3_amd64.deb
Files:
2a047aeb6a31b9b08f0da04d7c076dab 1883 non-free/utils optional p7zip-rar_16.02-3.dsc
2e60c421882ad52e9622d216c6cd8289 10148 non-free/utils optional p7zip-rar_16.02-3.debian.tar.xz
671428c6dfc66dcb44cd3ca7883d9811 184220 non-free/debug optional p7zip-rar-dbgsym_16.02-3_amd64.deb
672d6b9668ff31c523b47f94c276fa26 5817 non-free/utils optional p7zip-rar_16.02-3_amd64.buildinfo
d043818a204b8f57e359858772cbf09e 57568 non-free/utils optional p7zip-rar_16.02-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENeh4+rTTcy6TtNI3Yx3nVTvor9QFAlsOTa4ACgkQYx3nVTvo
r9QAwg//WVY1i3tYU2JqtLkSbvRxNclLVw2H9+9NoodDB8yXrdif8/KRMsripOJy
XNutt1Ir+ALT9LLzg8iLshH0bK46ZCf5e8ri5qu1ywo4buCUZvBF7TgMMVeGeFl7
ie2dhqFelEGz6x+zWYeKilIXlHNTZ9o8+Omz8a5Jw+yrblcnfSGY3xi400JWF7F7
8V7+JBF8CgivHX7fCbIMx6AEXrlQqkegXIh/7kJC9y8ExFtll23/uHH2wb+7i+IF
/3mBXlVrqrNqlmdu2BaPqAoLnx50QRgHQ92tMJ6C/jeIdXTkM2yagPwd8j3Bqrza
Itzra1nIXuggw2HDHRkweiH1PIVK4X39TpJ3hjXcOwy1MFFXI8GBbhpXQ6vma0H+
vKh4Fp1EiEfwn6puNmDzW/Yd1WwKc2kuP1E6BP6qUw1QbDpp2asgBaCxos/MS/cK
ylwXnNKPQMbo+lcGhSTZL/Iq2gChvYEgy+v6/vvMpWFc1gTyMqbjvYJPeuRBWeAJ
vNLw9n/J3OwRwFMEuWmSCGdBi6kiKBDHNim1xPPfBbuM3kT4GmVd7f3k91r+0ywq
2z+aiqLVN3tI9Tx+CWaUfNtPU9tWDnTNrsfUCeYANT6ZoqoDciz5jp9BiqP2qxCA
HPMvmQgBklQ8wjcTwHYF3SQMe2naWfrFtuYuN8vpH79PcKfK10Y=
=Dmly
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Robert Luberda <robert@debian.org>:
Bug#897674; Package src:p7zip-rar.
(Sun, 24 Feb 2019 21:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Kubo da Costa <rakuco@FreeBSD.org>:
Extra info received and forwarded to list. Copy sent to Robert Luberda <robert@debian.org>.
(Sun, 24 Feb 2019 21:45:03 GMT) (full text, mbox, link).
Message #15 received at 897674@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I was recently looking at this CVE and CVE 2018 10115.patch.
According to upstream 7-zip [1], this bug was fixed in version 18.05. In
the upstream release announcement, someone asked about variables like
_errorMode that were introduced earlier to deal with CVE-2018-5996 [2]
and how they had been removed from this release.
The 7-Zip maintainer replied it was intentional and both CVEs should be
fixed with that code. I've diff'ed 18.03 and 18.05, and _errorMode is
either commented out or removed in the code, while the existing
CVE_2018_10115.patch still has them in addition to the _solidAllowed
stuff. I just package p7zip so I don't know much about how its
implementation works, but I figured it'd be a better idea to make the
CVE-2018-10115 patch more similar to what upstream had.
This new version is attached and follows what 18.05 upstream does.
[1] https://www.7-zip.org/history.txt
[2]
https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/#8b13
[cve-2018-10115_v2.diff (text/x-patch, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:17:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon