A heap-based buffer overflow in 7-Zip's shrink decoder can allow an attacker to write arbitrary data to memory and cause a crash. Versions of p7zip up to and including 16.02 are vulnerable. A fix for this vulnerability is available in the beta version of 7-zip 18.00 (for Windows). External References: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip http://www.7-zip.org/history.txt
Created p7zip tracking bugs for this issue: Affects: epel-all [bug 1538458] Affects: fedora-all [bug 1538459]