| 1 | | Security update, because I'm including a patch for CVE-2015-1038, similar |
| 2 | | to the one used ib Debian for the version in the book. |
| 3 | | |
| 4 | | [http://downloads.sourceforge.net/project/p7zip/p7zip/15.09/p7zip_15.09_src_all.tar.bz2] |
| 5 | | |
| 6 | | == Security == |
| 7 | | |
| 8 | | [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038] |
| 9 | | |
| 10 | | [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660] |
| 11 | | |
| 12 | | == Changes and discussion == |
| 13 | | |
| 14 | | [http://sourceforge.net/p/p7zip/discussion/383043/thread/53f8df4f/] |
| 15 | | |
| 16 | | {{{ |
| 17 | | 15.09 source released! |
| 18 | | |
| 19 | | Created: 5 days ago |
| 20 | | Updated: 2 days ago |
| 21 | | |
| 22 | | my p7zip |
| 23 | | my p7zip |
| 24 | | 5 days ago |
| 25 | | |
| 26 | | p7zip 15.09 beta was released. |
| 27 | | |
| 28 | | What's new after p7zip 9.38.1 : |
| 29 | | |
| 30 | | • 7-Zip now can extract ext2 and multivolume VMDK images. |
| 31 | | • 7-Zip now can extract ext3 and ext4 (Linux file system) images. |
| 32 | | • support of cygwin 64 bits |
| 33 | | • support of cygwin 64 bits with asm |
| 34 | | • cygwin : fix in GetRamSize() |
| 35 | | • cross building added : |
| 36 | | ◦ makefile.linux_cross_aarch64 |
| 37 | | ◦ makefile.linux_cross_arm |
| 38 | | ◦ makefile.linux_cross_ppc |
| 39 | | ◦ makefile.linux_cross_ppc64 |
| 40 | | ◦ makefile.linux_cross_ppc64le |
| 41 | | ◦ makefile.linux_cross_s390x (7za and 7zr pass tests, 7z does not |
| 42 | | pass tests) |
| 43 | | |
| 44 | | • 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI |
| 45 | | images. |
| 46 | | • 7-Zip now can extract solid WIM archives with LZMS compression. |
| 47 | | • 7-Zip now can extract RAR5 archives. |
| 48 | | • 7-Zip now doesn't sort files by type while adding to solid 7z |
| 49 | | archive. |
| 50 | | • new -mqs switch to sort files by type while adding to solid 7z |
| 51 | | archive. |
| 52 | | • 7-Zip now can create 7z, xz and zip archives with 1536 MB |
| 53 | | dictionary for LZMA/LZMA2. |
| 54 | | • 7-Zip now can extract .zipx (WinZip) archives that use xz |
| 55 | | compression. |
| 56 | | |
| 57 | | Last edit: my p7zip 5 days ago |
| 58 | | |
| 59 | | İsmail Dönmez |
| 60 | | İsmail Dönmez |
| 61 | | 3 days ago |
| 62 | | |
| 63 | | Great news! But I see that security patch for CVE-2015-1038 is still |
| 64 | | not included. Any chance of fixing that? |
| 65 | | |
| 66 | | my p7zip |
| 67 | | my p7zip |
| 68 | | 3 days ago |
| 69 | | |
| 70 | | I don't know what to do to solve CVE-2015-1038. |
| 71 | | |
| 72 | | Please provide real examples and tell me what the program should do. |
| 73 | | |
| 74 | | What do unzip, tar, .... in that case ? |
| 75 | | |
| 76 | | İsmail Dönmez |
| 77 | | İsmail Dönmez |
| 78 | | 2 days ago |
| 79 | | |
| 80 | | This is all documented in |
| 81 | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 the essence |
| 82 | | of the issue is, run the following commands: |
| 83 | | |
| 84 | | ln -s /tmp dir |
| 85 | | 7z a test.7z dir |
| 86 | | rm dir |
| 87 | | mkdir dir |
| 88 | | echo hello > dir/file |
| 89 | | 7z a test.7z dir/file |
| 90 | | rm -r dir |
| 91 | | |
| 92 | | and if you extract that test.7z you got a file /tmp/file , which is |
| 93 | | symlink traversing vulnerability. Attached is the patch from Debian |
| 94 | | which seems to fix the issue (I rebased the patch against p7zip |
| 95 | | 15.09). |
| 96 | | |
| 97 | | Attachments |
| 98 | | p7zip-CVE-2015-1038.patch |
| 99 | | }}} |
| | 1 | https://downloads.sourceforge.net/p7zip/p7zip_15.14.1_src_all.tar.bz2 |
