[SECURITY] [DSA 3289-1] p7zip security update

2015-06-1517:18:41

lists.debian.org

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

AI Score

5.6

Confidence

Low

EPSS

0.023

Percentile

90.0%

JSON

Debian Security Advisory DSA-3289-1 [email protected]
https://www.debian.org/security/ Ben Hutchings
June 15, 2015 https://www.debian.org/security/faq

Package : p7zip
CVE ID : CVE-2015-1038
Debian Bug : 774660

Alexander Cherepanov discovered that p7zip is susceptible to a
directory traversal vulnerability. While extracting an archive, it
will extract symlinks and then follow them if they are referenced in
further entries. This can be exploited by a rogue archive to write
files outside the current directory.

For the oldstable distribution (wheezy), this problem has been fixed
in version 9.20.1~dfsg.1-4+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 9.20.1~dfsg.1-4.1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 9.20.1~dfsg.1-4.2.

We recommend that you upgrade your p7zip packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7kfreebsd-amd64p7zip-full< 9.20.1~dfsg.1-4+deb7u1p7zip-full_9.20.1~dfsg.1-4+deb7u1_kfreebsd-amd64.deb
Debian8i386p7zip< 9.20.1~dfsg.1-4.1+deb8u1p7zip_9.20.1~dfsg.1-4.1+deb8u1_i386.deb
Debian8armhfp7zip-full< 9.20.1~dfsg.1-4.1+deb8u1p7zip-full_9.20.1~dfsg.1-4.1+deb8u1_armhf.deb
Debian7mipsp7zip-full< 9.20.1~dfsg.1-4+deb7u1p7zip-full_9.20.1~dfsg.1-4+deb7u1_mips.deb
Debian8amd64p7zip-full< 9.20.1~dfsg.1-4.1+deb8u1p7zip-full_9.20.1~dfsg.1-4.1+deb8u1_amd64.deb
Debian8armelp7zip-full< 9.20.1~dfsg.1-4.1+deb8u1p7zip-full_9.20.1~dfsg.1-4.1+deb8u1_armel.deb
Debian8kfreebsd-amd64p7zip< 9.20.1~dfsg.1-4.1+deb8u1p7zip_9.20.1~dfsg.1-4.1+deb8u1_kfreebsd-amd64.deb
Debian8amd64p7zip< 9.20.1~dfsg.1-4.1+deb8u1p7zip_9.20.1~dfsg.1-4.1+deb8u1_amd64.deb
Debian7armelp7zip< 9.20.1~dfsg.1-4+deb7u1p7zip_9.20.1~dfsg.1-4+deb7u1_armel.deb
Debian8powerpcp7zip< 9.20.1~dfsg.1-4.1+deb8u1p7zip_9.20.1~dfsg.1-4.1+deb8u1_powerpc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	kfreebsd-amd64	p7zip-full	< 9.20.1~dfsg.1-4+deb7u1	p7zip-full_9.20.1~dfsg.1-4+deb7u1_kfreebsd-amd64.deb
Debian	8	i386	p7zip	< 9.20.1~dfsg.1-4.1+deb8u1	p7zip_9.20.1~dfsg.1-4.1+deb8u1_i386.deb
Debian	8	armhf	p7zip-full	< 9.20.1~dfsg.1-4.1+deb8u1	p7zip-full_9.20.1~dfsg.1-4.1+deb8u1_armhf.deb
Debian	7	mips	p7zip-full	< 9.20.1~dfsg.1-4+deb7u1	p7zip-full_9.20.1~dfsg.1-4+deb7u1_mips.deb
Debian	8	amd64	p7zip-full	< 9.20.1~dfsg.1-4.1+deb8u1	p7zip-full_9.20.1~dfsg.1-4.1+deb8u1_amd64.deb
Debian	8	armel	p7zip-full	< 9.20.1~dfsg.1-4.1+deb8u1	p7zip-full_9.20.1~dfsg.1-4.1+deb8u1_armel.deb
Debian	8	kfreebsd-amd64	p7zip	< 9.20.1~dfsg.1-4.1+deb8u1	p7zip_9.20.1~dfsg.1-4.1+deb8u1_kfreebsd-amd64.deb
Debian	8	amd64	p7zip	< 9.20.1~dfsg.1-4.1+deb8u1	p7zip_9.20.1~dfsg.1-4.1+deb8u1_amd64.deb
Debian	7	armel	p7zip	< 9.20.1~dfsg.1-4+deb7u1	p7zip_9.20.1~dfsg.1-4+deb7u1_armel.deb
Debian	8	powerpc	p7zip	< 9.20.1~dfsg.1-4.1+deb8u1	p7zip_9.20.1~dfsg.1-4.1+deb8u1_powerpc.deb