Debian Bug report logs -
#888314
p7zip-rar: CVE-2018-5996: Memory Corruptions via RAR PPMd
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, onitake@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Robert Luberda <robert@debian.org>:
Bug#888297; Package p7zip.
(Wed, 24 Jan 2018 18:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Gregor Riepl <onitake@gmail.com>:
New Bug report received and forwarded. Copy sent to onitake@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Robert Luberda <robert@debian.org>.
(Wed, 24 Jan 2018 18:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: p7zip
Version: 16.02+dfsg-4
Severity: grave
Tags: upstream newcomer security
Justification: user security hole
Dear Maintainer,
p7zip, p7zip-full and the non-free component p7zip-rar are affected by two
vulnerabilities:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-
zip/?hn
In particular, the RAR3 and LZW algorithm implementations are susceptible to
memory corruption and may compromise a system through specially crafted
archives.
These issues have already been fixed upstream, and a new version of p7zip
(18.0) is available.
Please update all p7zip* packages to their latest versions as soon as possible.
Thank you.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (900, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages p7zip depends on:
ii libc6 2.26-2
ii libgcc1 1:7.2.0-19
ii libstdc++6 7.2.0-19
p7zip recommends no packages.
Versions of packages p7zip suggests:
ii p7zip-full 16.02+dfsg-4
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Robert Luberda <robert@debian.org>:
Bug#888297; Package p7zip.
(Wed, 24 Jan 2018 21:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Robert Luberda <robert@debian.org>.
(Wed, 24 Jan 2018 21:39:03 GMT) (full text, mbox, link).
Message #10 received at 888297@bugs.debian.org (full text, mbox, reply):
Control: tags -1 - newcomer
Control: clone -1 -2
Control: retitle -1 p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow
Control: reassign -2 p7zip-rar
Control: retitle -2 p7zip-rar: CVE-2018-5996: Memory Corruptions via RAR PPMd
Hi
On Wed, Jan 24, 2018 at 07:45:30PM +0100, Gregor Riepl wrote:
> Package: p7zip
> Version: 16.02+dfsg-4
> Severity: grave
> Tags: upstream newcomer security
> Justification: user security hole
>
> Dear Maintainer,
>
> p7zip, p7zip-full and the non-free component p7zip-rar are affected by two
> vulnerabilities:
> https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-
> zip/?hn
Since they are in two different source packages let's actually create
two bugs.
Regards,
Salvatore
Removed tag(s) newcomer.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 888297-submit@bugs.debian.org.
(Wed, 24 Jan 2018 21:39:03 GMT) (full text, mbox, link).
Bug 888297 cloned as bug 888314
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 888297-submit@bugs.debian.org.
(Wed, 24 Jan 2018 21:39:04 GMT) (full text, mbox, link).
Bug reassigned from package 'p7zip' to 'p7zip-rar'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 888297-submit@bugs.debian.org.
(Wed, 24 Jan 2018 21:39:06 GMT) (full text, mbox, link).
No longer marked as found in versions p7zip/16.02+dfsg-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 888297-submit@bugs.debian.org.
(Wed, 24 Jan 2018 21:39:06 GMT) (full text, mbox, link).
Changed Bug title to 'p7zip-rar: CVE-2018-5996: Memory Corruptions via RAR PPMd' from 'p7zip: Multiple Memory Corruptions via RAR and ZIP'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 888297-submit@bugs.debian.org.
(Wed, 24 Jan 2018 21:39:07 GMT) (full text, mbox, link).
Reply sent
to Robert Luberda <robert@debian.org>:
You have taken responsibility.
(Mon, 29 Jan 2018 22:21:08 GMT) (full text, mbox, link).
Notification sent
to Gregor Riepl <onitake@gmail.com>:
Bug acknowledged by developer.
(Mon, 29 Jan 2018 22:21:08 GMT) (full text, mbox, link).
Message #27 received at 888314-close@bugs.debian.org (full text, mbox, reply):
Source: p7zip-rar
Source-Version: 16.02-2
We believe that the bug you reported is fixed in the latest version of
p7zip-rar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated p7zip-rar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 29 Jan 2018 22:50:53 +0100
Source: p7zip-rar
Binary: p7zip-rar
Architecture: source amd64
Version: 16.02-2
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
p7zip-rar - non-free rar module for p7zip
Closes: 888314
Changes:
p7zip-rar (16.02-2) unstable; urgency=medium
.
* Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by
applying a few changes from 7Zip 18.00-beta (closes: #888314).
* Bump debhelper's compat level to 11.
* Remove `-pie' from hardening options (see: #859442).
* Use 'https' URL in debian/watch (lintian).
* Standards-Version: 4.1.3.
Checksums-Sha1:
996a09bbae2e3a1bed7264b9ff03a41a2417f175 1909 p7zip-rar_16.02-2.dsc
47e330d9efa69f59d58c36053766c13d5b4ff8e8 8580 p7zip-rar_16.02-2.debian.tar.xz
0d94e9b3afb9dad3461621e10daae29a6985ee22 184396 p7zip-rar-dbgsym_16.02-2_amd64.deb
8e95ef6321b73cc6fd620e7f16f061df7ffd0bbb 5682 p7zip-rar_16.02-2_amd64.buildinfo
6e71c90853374e062a07c66a23ba97335eda0e3f 57124 p7zip-rar_16.02-2_amd64.deb
Checksums-Sha256:
0e225ccdc5083b26fd0859fe9b4daadea2f0ddcaabce990280d674500a15edd7 1909 p7zip-rar_16.02-2.dsc
d69173ba5425366b4e2aa38dd8476d99cce2e9c76da787c44cd350b138e1dd7e 8580 p7zip-rar_16.02-2.debian.tar.xz
59e8b5b917a4e51f7cc682a1d50f7d66cca4523ddd8c75392446c59867453a90 184396 p7zip-rar-dbgsym_16.02-2_amd64.deb
4a1a08c590015543cac5d7f53069204bb0daf8edf72baeea2bdb625f9c9a5a26 5682 p7zip-rar_16.02-2_amd64.buildinfo
98bc2b34f4dc886844001662317d28e8ab325ea029a79d723b577a080f95b916 57124 p7zip-rar_16.02-2_amd64.deb
Files:
ae59983ff155c12522c19d8b332a284c 1909 non-free/utils optional p7zip-rar_16.02-2.dsc
47feb5c5d3aff7bb7d266171d8ef4828 8580 non-free/utils optional p7zip-rar_16.02-2.debian.tar.xz
b3e59931a516266ba1acf8c57e3932bf 184396 non-free/debug optional p7zip-rar-dbgsym_16.02-2_amd64.deb
7c5a9f36854b500e10079a04fa531597 5682 non-free/utils optional p7zip-rar_16.02-2_amd64.buildinfo
e7f76efa8b1cf5af99bf98033cc768bf 57124 non-free/utils optional p7zip-rar_16.02-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENeh4+rTTcy6TtNI3Yx3nVTvor9QFAlpvmCMACgkQYx3nVTvo
r9SefhAAjfcW/00Mn6sKZJ94Ue5ll5PVa7GHQaSeI6RwurV1YJd1Sfo9yfi8vcwU
uWkKra23JuKo3uNo5wgLGRpxlSRivXmuDvwqb7zaOTB30sHbVQRcUBl584/B1fCS
0GGuq3WZy8YT4HJD7fsG096m7GxZ+I8NxQnsmW7cI+6Wuy678ecZcW4m4VRv2qvy
CxLJOWR4+dFpiGck4GWxMv+gi89PzSlFa+78CdZwJcC/4uUsHT/nE9b/LwpPr76m
lK4VOGht6E3aiB8yt1irnIJRtlT2JJwM6yCAkf7E/Y2jWh8WkSXPZtAcLPIYZzL4
Mg1ILbzdB7fkGRYYVm/H7NVT6Kp+oVgihHoU78gAmPK8gZ6/LXT7N5yLSchukyLV
SU5hi73cfmjxWdmza+y3VvrM446EHaANLGBZxEdGd9QqUEqEqnTosVq2ZdUjaIXz
gP6rR3b6lgeFceq367P/dbO46P5H3wYZOdPoO8r7u03oMEF2c9g+jXm4NxbsE75X
9rh6EmlcSv6qWocTnexBV2qPAbQxav7k9Zmy1vDAeqapZDzWaLhWaoJC9tYHG3M+
t5wf+oN8rzi50jmf+iWQOCTjHdoOfzBHWcolcKiHPqtdk80F/WiK9RK2mgpf80Io
9tfpjqbuNWz12QqpbfZIfPcm1jh9RVJg8OjX0oeG/dlJi7KMBDA=
=J9SJ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:15:49 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon