Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 1051232@bugs.debian.org
Subject: Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
From: yokota <yokota.hgml@gmail.com>
Date: Wed, 6 Sep 2023 08:46:46 +0900
Message-id: <[🔎] CA+0c0dU8vM_+CYt6g4ONZESHRM5s6LdFsDGgcYhK9-ys2K2Xzg@mail.gmail.com>
Reply-to: yokota <yokota.hgml@gmail.com>, 1051232@bugs.debian.org
In-reply-to: <[🔎] 20230904200014.GA27154@inutil.org>
References: <169385426720.99339.15820086512918755552.reportbug@loadstone.darkstar.local> <[🔎] 20230904200014.GA27154@inutil.org> <169385426720.99339.15820086512918755552.reportbug@loadstone.darkstar.local>

Hello,

> What are the isolated fixes for CVE-2023-40481 and CVE-2023-31102, is there some
> kind of public upstream VCS or can you ask upstream about it?

CVE site is not disclose info about this issue yet, but Zero Day
Initiative already disclose this issue.

> CVE-2023-31102: https://www.zerodayinitiative.com/advisories/ZDI-23-1165/
> CVE-2023-40481: https://www.zerodayinitiative.com/advisories/ZDI-23-1164/

In Zero Day Initiative report, they shows the fixes about these issues.

> ADDITIONAL DETAILS 7-Zip has issued an update to correct this vulnerability. More details can be found at: https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269/

Updated 7-Zip 23.00beta is released in this sourceforge link.
I want to upload 7-Zip 23.01 to Debian because 23.01 is non-beta version.

--
YOKOTA Hiroshi

Reply to:

References:
- Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Bug#1051302: bookworm-pu: package jekyll/4.3.1+dfsg-3+deb12u1
Next by Date: NEW changes in stable-new
Previous by thread: Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Next by thread: Bug#1051237: transition: move files from / to /usr to finalize /usr-merge
Index(es):
- Date
- Thread