Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

p7zip Security Vulnerability?


  • Please log in to reply
3 replies to this topic

#1 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 22 May 2016 - 01:21 AM

Two security vulnerabilities were recently discovered with the archive manager 7-Zip (popular on Windows). CVE-2016-2335 can "lead, in some circumstances, to arbitrary code execution", and CVE-2016-2334 is an "exploitable heap overflow vulnerability". These vulnerabilities are fixed in 16.00 and newer (16.02 being the current release). I presume these vulnerabilities also affect p7zip (a Linux port of 7-Zip), though have not found any reliable confirmations.

 

I thought I'd mention these vulnerabilities here in the Linux section in case anyone is using p7zip (personally I do sometimes, as it's a great program). The most recent port of p7zip is 15.14.1, but users of many distros may be running older versions like 9.20 (eg: Ubuntu Trusty, Ubuntu Xenial, Debian Jessie, Linux Mint Qiana).

 

References:

- https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/?page=1

- http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

- http://www.talosintel.com/reports/TALOS-2016-0093/

- http://www.talosintel.com/reports/TALOS-2016-0094/

- https://sourceforge.net/projects/p7zip/

- http://www.7-zip.org/download.html

- http://packages.ubuntu.com/search?keywords=p7zip-full

- https://packages.debian.org/search?keywords=p7zip-full

- https://www.archlinux.org/packages/?sort=&q=p7zip&maintainer=&flagged=

- https://apps.fedoraproject.org/packages/p7zip



BC AdBot (Login to Remove)

 


#2 66Batmobile

66Batmobile

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Denial

Posted 22 May 2016 - 08:37 PM

Software manager says it's installed in Mint 17.2 (version 9.20).  Also indicates that removing would also take out mint-meta-cinnamon and mint-meta-core.

 

Is this an issue if you don't use it? I've never heard of it before today.


Gen. Barker - You haven't heard the last of this!!

Hawkeye Pierce - I wasn't listening to the first of it...


#3 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 23 May 2016 - 08:02 PM

Is this an issue if you don't use it?

No. Both vulnerabilies are during usage. Keep in mind that some graphical archive-managers (eg: File-roller) may use p7zip to open some types of archives. However, CVE-2016-2334 only applies when dealing with HFS+ filesystems in files, and CVE-2016-2335 only applies to UDF images, so unless you're dealing with those, you're safe.
 

#4 pcpunk

pcpunk

  • Members
  • 5,865 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:39 AM

Posted 23 May 2016 - 09:03 PM

Thanks HF!


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users