Bug 2382340

Summary: CVE-2025-53816 7zip: 7-Zip heap buffer overflow
Product: [Fedora] Fedora EPEL Reporter: Dave B <dwb7>
Component: p7zipAssignee: Davide Cavalca <davide>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel8CC: davide, dwb7, michel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave B 2025-07-21 14:05:06 UTC 
Description of problem:

A critical memory corruption vulnerability in the popular file archiver 7-Zip has been discovered that allows attackers to trigger denial of service conditions by crafting malicious RAR5 archive files.

The vulnerability, tracked as CVE-2025-53816 and designated GHSL-2025-058, affects all versions of 7-Zip prior to version 25.00.

While the flaw is unlikely to lead to arbitrary code execution, it poses significant risks for denial-of-service attacks against systems processing untrusted archive files.

The vulnerability stems from a heap-based buffer overflow in 7-Zip’s RAR5 decoder implementation. Specifically, the flaw occurs in the NCompress::NRar5::CDecoder component when the software attempts to recover from corrupted archive data by filling damaged sections with zeros.

The root cause lies in a miscalculation of the rem value during memory zeroing operations. When processing RAR5 archives, the decoder calls My_ZeroMemory(_window + _winPos, (size_t)rem) where the rem parameter is calculated as _lzEnd - lzSize.

However, the _lzEnd variable depends on the size of previous items in the archive, which can be controlled by attackers.

This miscalculation allows attackers to write zeros beyond the allocated heap buffer, potentially corrupting adjacent memory regions and causing application crashes.


Version-Release number of selected component (if applicable):

p7zip-plugins-16.02-31.el8.x86_64


Additional info:

prior to 25.0.0. Version 25.0.0 contains a fix for the issue.