On Fri, Jan 26, 2018 at 04:10:54PM -0500, Antoine Beaupre wrote: > Control: tags -1 +patch > > Since a fix was published in upstream 18.00-beta, I looked at the source > there and was able to produce a simple patch for wheezy, which should be > trivial to port to jessie and easy to port to stretch: > > https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/c296/attachment/CVE-2017-17969.patch > > Attached as well. > > Looks good?
It does not, at all, look good: that doesn't even compile... I've submitted a new patch upstream: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#2de7 And will leave the discussion happening there. This one builds, at least, and as far as I can tell, doesn't introduce regressions in the normal code paths that I could test. I've asked the original researcher for a reproducer to see if this fixes the issue as well, so I'll wait a little longer for feedback before issuing an advisory on that one. A.
signature.asc
Description: PGP signature