Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

p7zip Security Vulnerability?

  • Please log in to reply
3 replies to this topic

#1 Guest_hollowface_*


  • Guests

Posted 22 May 2016 - 01:21 AM

Two security vulnerabilities were recently discovered with the archive manager 7-Zip (popular on Windows). CVE-2016-2335 can "lead, in some circumstances, to arbitrary code execution", and CVE-2016-2334 is an "exploitable heap overflow vulnerability". These vulnerabilities are fixed in 16.00 and newer (16.02 being the current release). I presume these vulnerabilities also affect p7zip (a Linux port of 7-Zip), though have not found any reliable confirmations.


I thought I'd mention these vulnerabilities here in the Linux section in case anyone is using p7zip (personally I do sometimes, as it's a great program). The most recent port of p7zip is 15.14.1, but users of many distros may be running older versions like 9.20 (eg: Ubuntu Trusty, Ubuntu Xenial, Debian Jessie, Linux Mint Qiana).



- https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/?page=1

- http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

- http://www.talosintel.com/reports/TALOS-2016-0093/

- http://www.talosintel.com/reports/TALOS-2016-0094/

- https://sourceforge.net/projects/p7zip/

- http://www.7-zip.org/download.html

- http://packages.ubuntu.com/search?keywords=p7zip-full

- https://packages.debian.org/search?keywords=p7zip-full

- https://www.archlinux.org/packages/?sort=&q=p7zip&maintainer=&flagged=

- https://apps.fedoraproject.org/packages/p7zip

BC AdBot (Login to Remove)



#2 66Batmobile


  • Members
  • 295 posts
  • Gender:Male
  • Location:State of Denial

Posted 22 May 2016 - 08:37 PM

Software manager says it's installed in Mint 17.2 (version 9.20).  Also indicates that removing would also take out mint-meta-cinnamon and mint-meta-core.


Is this an issue if you don't use it? I've never heard of it before today.

Gen. Barker - You haven't heard the last of this!!

Hawkeye Pierce - I wasn't listening to the first of it...

#3 Guest_hollowface_*


  • Guests

Posted 23 May 2016 - 08:02 PM

Is this an issue if you don't use it?

No. Both vulnerabilies are during usage. Keep in mind that some graphical archive-managers (eg: File-roller) may use p7zip to open some types of archives. However, CVE-2016-2334 only applies when dealing with HFS+ filesystems in files, and CVE-2016-2335 only applies to UDF images, so unless you're dealing with those, you're safe.

#4 pcpunk


  • Members
  • 5,400 posts
  • Gender:Male
  • Location:Florida
  • Local time:06:05 PM

Posted 23 May 2016 - 09:03 PM

Thanks HF!


Created by Mike_Walsh


KDE, Ruler of all Distro's



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users