[Slackbuilds-users] p7zip vulnerabilities

Willy Sudiarto Raharjo willysr at slackbuilds.org
Wed Jun 1 00:43:43 UTC 2016


> p7zip 9.20.1 has two security issues :
> 
> CVE-2015-1038:
> p7zip 9.20.1 allows remote attackers to write to arbitrary files via a
> symlink attack in an archive.
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038
> https://sourceforge.net/p/p7zip/bugs/147/#2f9c
> 
> CVE-2016-2335:
> 7zip UDF CInArchive::ReadFileItem Code Execution Vulnerability
> 
> http://www.talosintel.com/reports/TALOS-2016-0094/
> https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/#1dba
> 
> The latest p7zip, ie. 15.14.1, is not affected by CVE-2015-1038, but
> affected by CVE-2016-2335 and also by CVE-2016-2334.
> 
> In attachment, the patches for these issues, and for the slackbuild.
> 
> Notes:
> 
> p7zip.SlackBuild.patch
> Applies the patches to fix vulnerabilities in p7zip 9.20.1

Applied 9.20.1 patches in my branch
15.14.1 still break jalview here

Thanks


-- 
Willy Sudiarto Raharjo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160601/5c4aec1c/attachment.asc>


More information about the SlackBuilds-users mailing list