Package: release.debian.org
Severity: normal
Tags: bookworm security
X-Debbugs-Cc: ***@packages.debian.org, ***@security.debian.org, ***@gmail.com
Control: affects -1 + src:7zip
User: ***@packages.debian.org
Usertags: pu


[ Reason ]
Fix CVE-2023-52168 (buffer overflow) and CVE-2023-52169 (buffer over-read)

[ Impact ]
Some vulnerabilities are unfixed.

[ Tests ]
Very trivial NTFS disk image file test was passed.
* list files
* extract files

[ Risks ]
Upstream dose not provide fix patch.
So I extract fix patch from CVE reporter's blog entry.
I think the fix patch will works, but not confirmed by upstream
because upstream dose not provides fix patch files.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

[ Changes ]
Add fix-ups to NTFS extractor.

[ Other info ]
https://salsa.debian.org/debian/7zip/-/commits/33950db8e8c9130ac6718fde10515c74f9c6cecc

Roger Shimizu <***@debian.org> provides bookworm-backports package
7zip:24.08+dfsg-1~bpo12+1.
7zip 24.08 already fixed the vulnerabilities by upstream since 24.05.

--
YOKOTA Hiroshi