Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1

To: YOKOTA Hiroshi <yokota.hgml@gmail.com>, 1051232@bugs.debian.org
Subject: Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 4 Sep 2023 22:00:14 +0200
Message-id: <[🔎] 20230904200014.GA27154@inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 1051232@bugs.debian.org
In-reply-to: <169385426720.99339.15820086512918755552.reportbug@loadstone.darkstar.local>
References: <169385426720.99339.15820086512918755552.reportbug@loadstone.darkstar.local> <169385426720.99339.15820086512918755552.reportbug@loadstone.darkstar.local>

On Tue, Sep 05, 2023 at 04:04:27AM +0900, YOKOTA Hiroshi wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: 7zip@packages.debian.org, yokota.hgml@gmail.com, bage@debian.org, team@security.debian.org
> Control: affects -1 + src:7zip
> 
> [ Reason ]
> 1. Fix security issue
>  CVE-2023-31102: https://www.zerodayinitiative.com/advisories/ZDI-23-1165/
>  CVE-2023-40481: https://www.zerodayinitiative.com/advisories/ZDI-23-1164/
>
> 2. Use 7zip-rar package for RAR archives.
>    7zip-rar requires 7zip >= 22.01-9

What are the isolated fixes for CVE-2023-40481 and CVE-2023-31102, is there some
kind of public upstream VCS or can you ask upstream about it?

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
  - From: yokota <yokota.hgml@gmail.com>

Prev by Date: Re: Bug#1050256: autopkgtest fails on debci
Next by Date: Bug#1051237: transition: move files from / to /usr to finalize /usr-merge
Previous by thread: Processed: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Next by thread: Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Index(es):
- Date
- Thread