Control: tags -1 +patch Since a fix was published in upstream 18.00-beta, I looked at the source there and was able to produce a simple patch for wheezy, which should be trivial to port to jessie and easy to port to stretch:
https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/c296/attachment/CVE-2017-17969.patch Attached as well. Looks good? A.
Subject: backport of the CVE-2017-17969 fix from 7zip 18.00-beta Forwarded: https://sourceforge.net/p/p7zip/bugs/204/ Bug-Debian: http://bugs.debian.org/888297 Author: Antoine Beaupré <anar...@debian.org> Applied-Upstream: 18.00-beta Last-Update: 2018-01-26 --- p7zip-9.20.1~dfsg.1/CPP/7zip/Compress/ShrinkDecoder.cpp.orig 2011-04-01 15:14:01.000000000 -0400 +++ p7zip-9.20.1~dfsg.1/CPP/7zip/Compress/ShrinkDecoder.cpp 2018-01-26 16:00:19.944166092 -0500 @@ -99,7 +99,13 @@ corectionIndex = i; _stack[i++] = _suffixes[cur]; cur = _parents[cur]; + if (cur == kEmpty || i >= kNumItems) + break; } + + if (cur == kEmpty || i >= kNumItems) + break; + _stack[i++] = (Byte)cur; if (needPrev) {
signature.asc
Description: PGP signature