YOKOTA Hiroshi
2024-10-06 04:40:01 UTC
Reply
PermalinkSeverity: normal
Tags: bookworm security
X-Debbugs-Cc: ***@packages.debian.org, ***@security.debian.org, ***@gmail.com
Control: affects -1 + src:7zip
User: ***@packages.debian.org
Usertags: pu
[ Reason ]
Fix CVE-2023-52168 (buffer overflow) and CVE-2023-52169 (buffer over-read)
[ Impact ]
Some vulnerabilities are unfixed.
[ Tests ]
Very trivial NTFS disk image file test was passed.
* list files
* extract files
[ Risks ]
Upstream dose not provide fix patch.
So I extract fix patch from CVE reporter's blog entry.
https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
I think the fix patch will works, but not confirmed by upstreambecause upstream dose not provides fix patch files.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add fix-ups to NTFS extractor.
[ Other info ]
https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
https://salsa.debian.org/debian/7zip/-/tree/bookworm-update
https://salsa.debian.org/debian/7zip/-/commits/33950db8e8c9130ac6718fde10515c74f9c6cecchttps://salsa.debian.org/debian/7zip/-/tree/bookworm-update
Roger Shimizu <***@debian.org> provides bookworm-backports package
7zip:24.08+dfsg-1~bpo12+1.
7zip 24.08 already fixed the vulnerabilities by upstream since 24.05.
--
YOKOTA Hiroshi