[Slackbuilds-users] p7zip vulnerabilities

Sebastien BALLET slacker6896 at gmail.com
Tue May 31 14:16:49 UTC 2016 

Hello,

p7zip 9.20.1 has two security issues :

CVE-2015-1038:
p7zip 9.20.1 allows remote attackers to write to arbitrary files via a
symlink attack in an archive.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038
https://sourceforge.net/p/p7zip/bugs/147/#2f9c

CVE-2016-2335:
7zip UDF CInArchive::ReadFileItem Code Execution Vulnerability

http://www.talosintel.com/reports/TALOS-2016-0094/
https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/#1dba

The latest p7zip, ie. 15.14.1, is not affected by CVE-2015-1038, but
affected by CVE-2016-2335 and also by CVE-2016-2334.

In attachment, the patches for these issues, and for the slackbuild.

Notes:

p7zip.SlackBuild.patch
Applies the patches to fix vulnerabilities in p7zip 9.20.1

p7zip.15.14.1.SlackBuild.patch
Bumps VERSION to 15.14.1 and applies the patches to fix vulnerabilities in
this version.

Hope this help.

-- 
SeB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160531/16f13b7a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2015-1038.patch
Type: text/x-patch
Size: 8816 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160531/16f13b7a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2016-2334.patch
Type: text/x-patch
Size: 889 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160531/16f13b7a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2016-2335.patch
Type: text/x-patch
Size: 745 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160531/16f13b7a/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p7zip.SlackBuild.patch
Type: text/x-patch
Size: 914 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160531/16f13b7a/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p7zip.15.14.1.SlackBuild.patch
Type: text/x-patch
Size: 1017 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160531/16f13b7a/attachment-0004.bin>

More information about the SlackBuilds-users mailing list