Bug 1077724 - (CVE-2018-5996) VUL-0: CVE-2018-5996: p7zip: memory corruption in RAR decompression
(CVE-2018-5996)
VUL-0: CVE-2018-5996: p7zip: memory corruption in RAR decompression
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Kristyna Streitova
Security Team bot
https://smash.suse.de/issue/198909/
CVSSv3:SUSE:CVE-2018-5996:9.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-26 10:24 UTC by Alexander Bergmann
Modified: 2018-02-20 23:43 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-01-26 10:24:15 UTC
rh#1538470

Multiple memory corruption vulnerabilities exist in 7-Zip's RAR compression handler. Versions before 18.00 are affected.

p7zip is a port of 7-Zip's 7za.exe for Unix. p7zip does not include 7-Zip's RAR compression code and is not vulnerable.

ismail has a 7-zip copy on github:
https://github.com/ismail/7-zip

External References:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1538470
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5996
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5996.html
Comment 3 Kristyna Streitova 2018-02-09 17:16:49 UTC
The RAR support was removed because of the incompatible licence in SLE12 and openSUSE:Factory.

SLE12: mr#154442
openSUSE:Factory: sr#570599

We are not affected by this issue anymore. I'm closing this bug as INVALID.
Comment 4 Swamp Workflow Management 2018-02-16 17:08:55 UTC
SUSE-SU-2018:0464-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1077724,1077725,1077978,984650
CVE References: CVE-2016-1372,CVE-2017-17969,CVE-2018-5996
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    p7zip-9.20.1-7.3.1
Comment 5 Swamp Workflow Management 2018-02-20 17:16:51 UTC
openSUSE-SU-2018:0497-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1077724,1077725,1077978,984650
CVE References: CVE-2016-1372,CVE-2017-17969,CVE-2018-5996
Sources used:
openSUSE Leap 42.3 (src):    p7zip-9.20.1-18.3.1