1 | | Security update, because I'm including a patch for CVE-2015-1038, similar |
2 | | to the one used ib Debian for the version in the book. |
3 | | |
4 | | [http://downloads.sourceforge.net/project/p7zip/p7zip/15.09/p7zip_15.09_src_all.tar.bz2] |
5 | | |
6 | | == Security == |
7 | | |
8 | | [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038] |
9 | | |
10 | | [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660] |
11 | | |
12 | | == Changes and discussion == |
13 | | |
14 | | [http://sourceforge.net/p/p7zip/discussion/383043/thread/53f8df4f/] |
15 | | |
16 | | {{{ |
17 | | 15.09 source released! |
18 | | |
19 | | Created: 5 days ago |
20 | | Updated: 2 days ago |
21 | | |
22 | | my p7zip |
23 | | my p7zip |
24 | | 5 days ago |
25 | | |
26 | | p7zip 15.09 beta was released. |
27 | | |
28 | | What's new after p7zip 9.38.1 : |
29 | | |
30 | | • 7-Zip now can extract ext2 and multivolume VMDK images. |
31 | | • 7-Zip now can extract ext3 and ext4 (Linux file system) images. |
32 | | • support of cygwin 64 bits |
33 | | • support of cygwin 64 bits with asm |
34 | | • cygwin : fix in GetRamSize() |
35 | | • cross building added : |
36 | | ◦ makefile.linux_cross_aarch64 |
37 | | ◦ makefile.linux_cross_arm |
38 | | ◦ makefile.linux_cross_ppc |
39 | | ◦ makefile.linux_cross_ppc64 |
40 | | ◦ makefile.linux_cross_ppc64le |
41 | | ◦ makefile.linux_cross_s390x (7za and 7zr pass tests, 7z does not |
42 | | pass tests) |
43 | | |
44 | | • 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI |
45 | | images. |
46 | | • 7-Zip now can extract solid WIM archives with LZMS compression. |
47 | | • 7-Zip now can extract RAR5 archives. |
48 | | • 7-Zip now doesn't sort files by type while adding to solid 7z |
49 | | archive. |
50 | | • new -mqs switch to sort files by type while adding to solid 7z |
51 | | archive. |
52 | | • 7-Zip now can create 7z, xz and zip archives with 1536 MB |
53 | | dictionary for LZMA/LZMA2. |
54 | | • 7-Zip now can extract .zipx (WinZip) archives that use xz |
55 | | compression. |
56 | | |
57 | | Last edit: my p7zip 5 days ago |
58 | | |
59 | | İsmail Dönmez |
60 | | İsmail Dönmez |
61 | | 3 days ago |
62 | | |
63 | | Great news! But I see that security patch for CVE-2015-1038 is still |
64 | | not included. Any chance of fixing that? |
65 | | |
66 | | my p7zip |
67 | | my p7zip |
68 | | 3 days ago |
69 | | |
70 | | I don't know what to do to solve CVE-2015-1038. |
71 | | |
72 | | Please provide real examples and tell me what the program should do. |
73 | | |
74 | | What do unzip, tar, .... in that case ? |
75 | | |
76 | | İsmail Dönmez |
77 | | İsmail Dönmez |
78 | | 2 days ago |
79 | | |
80 | | This is all documented in |
81 | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 the essence |
82 | | of the issue is, run the following commands: |
83 | | |
84 | | ln -s /tmp dir |
85 | | 7z a test.7z dir |
86 | | rm dir |
87 | | mkdir dir |
88 | | echo hello > dir/file |
89 | | 7z a test.7z dir/file |
90 | | rm -r dir |
91 | | |
92 | | and if you extract that test.7z you got a file /tmp/file , which is |
93 | | symlink traversing vulnerability. Attached is the patch from Debian |
94 | | which seems to fix the issue (I rebased the patch against p7zip |
95 | | 15.09). |
96 | | |
97 | | Attachments |
98 | | p7zip-CVE-2015-1038.patch |
99 | | }}} |
| 1 | https://downloads.sourceforge.net/p7zip/p7zip_15.14.1_src_all.tar.bz2 |