Bug 438410

Summary: p7zip: Archive Formats Issues
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: matthias
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-08 18:10:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 430753    

Description Tomas Hoger 2008-03-20 19:06:52 UTC 
CERT-FI and CPNI published a results of their research on archiver flaws.  Large
set of archives in various formats (ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP
and ZOO) was published, along with list of affected vendors.

According to the results, p7zip contained some problems, that should be fixed in
upstream 4.57.  However, CERT-FI/CPNI and 7-Zip pages do not seem to have
further details on which formats were affected and whether those were crash-only
issues or possibly some code execution issues.

Fedora currently ships p7zip 4.51.

References:
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
http://bugs.gentoo.org/show_bug.cgi?id=213889
Comment 1 Fedora Update System 2008-12-24 13:46:28 UTC 
p7zip-4.61-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/p7zip-4.61-1.fc9
Comment 2 Fedora Update System 2008-12-24 13:46:32 UTC 
p7zip-4.61-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/p7zip-4.61-1.fc8
Comment 3 Fedora Update System 2008-12-24 13:46:35 UTC 
p7zip-4.61-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/p7zip-4.61-1.fc10
Comment 4 Fedora Update System 2009-01-07 09:30:45 UTC 
p7zip-4.61-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-01-07 09:30:51 UTC 
p7zip-4.61-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-01-07 09:36:02 UTC 
p7zip-4.61-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Matthias Saou 2009-01-08 18:10:06 UTC 
All relevant updates have been pushed to the stable updates. Closing.