p7zip icon indicating copy to clipboard operation
p7zip copied to clipboard
verified publisher icon p7zip-project

Is p7zip affected by remote code execution security vulnerabilities of "normal" 7zip?

Open therealmarv opened this issue 2 years ago • 2 comments

Seems 7zip 22.01 from Igor Pavlov was affected by these two new found security bugs:

It seems those issues allow remote code execution by opening files !!!

7zip has released new versions (23.01) which apparently fixes those issues.

Unfortunately p7zip is the default on many Linux distros out there.

Any statements about those two security issues?

therealmarv avatar Aug 29 '23 23:08 therealmarv

Any statements about those two security issues?

Yes. You can go to sf.net/p/sevenzip, download and compare versions 22.01 and 23.01, get what it does to solve the issue, incorporate it to 17.05, request a pull and get an award for being security hero.

Ed. Here is diff between v22.01 and v23.01. It's where this vulnerability (squashfs) is fixed. you're welcome to incoreporate it to v17.05.

tansy avatar Sep 14 '23 22:09 tansy

What's interesting, Pavlov says that

p7zip 16.02 is not affected by CVE-2023-31102

tansy avatar Oct 17 '23 01:10 tansy