Your message dated Fri, 09 Feb 2018 23:47:13 +0000 with message-id <e1ekint-0004rj...@fasolo.debian.org> and subject line Bug#888297: fixed in p7zip 16.02+dfsg-3+deb9u1 has caused the Debian Bug report #888297, regarding p7zip: CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888297 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: p7zip Version: 16.02+dfsg-4 Severity: grave Tags: upstream newcomer security Justification: user security hole Dear Maintainer, p7zip, p7zip-full and the non-free component p7zip-rar are affected by two vulnerabilities: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and- zip/?hn In particular, the RAR3 and LZW algorithm implementations are susceptible to memory corruption and may compromise a system through specially crafted archives. These issues have already been fixed upstream, and a new version of p7zip (18.0) is available. Please update all p7zip* packages to their latest versions as soon as possible. Thank you. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (900, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages p7zip depends on: ii libc6 2.26-2 ii libgcc1 1:7.2.0-19 ii libstdc++6 7.2.0-19 p7zip recommends no packages. Versions of packages p7zip suggests: ii p7zip-full 16.02+dfsg-4 -- no debconf information
--- End Message ---
--- Begin Message ---Source: p7zip Source-Version: 16.02+dfsg-3+deb9u1 We believe that the bug you reported is fixed in the latest version of p7zip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated p7zip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 02 Feb 2018 11:11:41 +0100 Source: p7zip Binary: p7zip p7zip-full Architecture: source Version: 16.02+dfsg-3+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Robert Luberda <rob...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 888297 Description: p7zip - 7zr file archiver with high compression ratio p7zip-full - 7z and 7za file archivers with high compression ratio Changes: p7zip (16.02+dfsg-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp (CVE-2017-17969) Thanks to Antoine Beaupré (Closes: #888297) Checksums-Sha1: d9be5730246a2a126a5a629b52329bbd03cea6f3 2110 p7zip_16.02+dfsg-3+deb9u1.dsc 0894bd217b25e90edd42bc47ea0edf8c6a324005 3611764 p7zip_16.02+dfsg.orig.tar.xz 8b0da7503dffe82e6f50cfaf1a4f1021d1fc2cf2 21008 p7zip_16.02+dfsg-3+deb9u1.debian.tar.xz Checksums-Sha256: d895c5fc94d46dd9390e925d0d687010fadc198e01624f5d620a7fcca5187e11 2110 p7zip_16.02+dfsg-3+deb9u1.dsc 50adee7a4259e3492d8b68dfd12bda0ed27e615193a16f10af296f23dc831b14 3611764 p7zip_16.02+dfsg.orig.tar.xz 4d0f8fe6ccef505212a77611457257b378982224f097b4c5caefe09687186d16 21008 p7zip_16.02+dfsg-3+deb9u1.debian.tar.xz Files: 87c3d4d312607500e5fc987b789cf75d 2110 utils optional p7zip_16.02+dfsg-3+deb9u1.dsc 95a6a79c62a84fee541f99f763b81c31 3611764 utils optional p7zip_16.02+dfsg.orig.tar.xz e6b42a74a1f22ff42197e7ccd9893d05 21008 utils optional p7zip_16.02+dfsg-3+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp026xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EF+cP/RHZH/IbnJxc7G/rI6a9EP0iK8csJBHq /mmohvLn90yNF2gMT4bsk0Ag2vc4wgsMUlsPGJ8iwwvXQmHSN5zgFaTvOVnRiTk0 sOETH5ZJf7u4ZcodTKKG1rlmjH99d5+CLesbJvE6WtJMOG2sOG8f9D7TXi9/lyAz vZRd0YBKynGCENIjfqIQvuA66bfDBY4/v13PQfqYq8gqlMDkioadklvspHq/IWSB Rd+z60lby3f6p0hgEnftoK/ntC3R0xrc8j1ZURBU2C1402o+JrVg+KISXujmdaEE m/90eLKWGMRugK0Q56dBQckAeh4BZko3J2AxmWR0ovwGQES6yOMY4SjgE7yrNEU+ YZcXCcb2uDhsY8vR9YCtAjgkBmY0nDWObtTQcLHzWtpcBJ/sKra4a/06tMONTEEa bh6vLPb+jIJ+c/kT1e2ehsDYI1HY2aZKnJ64iDdZXo8nA2Ckuee/Hay75wut4c3e h8Y989EhnYlfRBx9BqMa7B4XF8UmoeebZMsiMqrGEKA7hylutjeYjX52V3rO6urt dKxVTkKdNld2AumjI9izkpx9ZlLSfccyqUcprwej913pMWZw1eVxu0wB4AWA6kjL DBNQn5My4DgMtzBU1SaoUmuQd80y0/7ruSzb4vkKnejYZUQEymrD/KlrLlpZXNQb 7wVldstHiNEz =bo+q -----END PGP SIGNATURE-----
--- End Message ---
