Package: p7zip Version: 16.02+dfsg-4 Severity: grave Tags: upstream newcomer security Justification: user security hole
Dear Maintainer, p7zip, p7zip-full and the non-free component p7zip-rar are affected by two vulnerabilities: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and- zip/?hn In particular, the RAR3 and LZW algorithm implementations are susceptible to memory corruption and may compromise a system through specially crafted archives. These issues have already been fixed upstream, and a new version of p7zip (18.0) is available. Please update all p7zip* packages to their latest versions as soon as possible. Thank you. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (900, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages p7zip depends on: ii libc6 2.26-2 ii libgcc1 1:7.2.0-19 ii libstdc++6 7.2.0-19 p7zip recommends no packages. Versions of packages p7zip suggests: ii p7zip-full 16.02+dfsg-4 -- no debconf information
