Bug 2432832

Summary: CVE-2025-11002 advancecomp: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability [fedora-42]
Product: [Fedora] Fedora Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: advancecompAssignee: Ben Beasley <code>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 42CC: code, i, tdawson
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["f90450ee-5b2d-4cfd-a654-86f743b10e84"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-26 14:51:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2432267    

Description Guilherme de Almeida Suckevicz 2026-01-26 14:43:22 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Ben Beasley 2026-01-26 14:51:34 UTC 
The advancecomp package does include code forked from a subset of a very old version of 7-Zip, so it is possible that it could be impacted by a vulnerability in 7-Zip. However, neither the CVE report https://www.cve.org/CVERecord?id=CVE-2025-11002 nor the Zero Day Initiative report https://www.zerodayinitiative.com/advisories/ZDI-25-950/ provides any details about the precise nature of the bug, the source files or functions where the bug exists, or the nature of the fix that was included in 7-Zip 25.00. Furthermore, while 7-Zip is open-source, it is not developed “in the open,” in that it has no public VCS, so we can’t dig through the commit history to try to figure out which change was associated with this report. All this means that there is not remotely enough information available to determine whether or not advancecomp is affected by this CVE, let alone to fix it, if it turns out that there is something to fix. It seems unlikely that more information will ever become available, so I’m closing this bug.