[wolf550e]

Is there software running on Linux which is derived from the same source and is also vulnerable?

Is this package vulnerable:

https://packages.debian.org/sid/p7zip-rar

https://packages.ubuntu.com/bionic/p7zip-rar

?

[landave]

Just looked at both the packages source, and it looks like they are affected. At least all the vulnerable code is in the source package.

[chungy]

Debian (and Ubuntu as a downstream) patched out issues already: https://www.debian.org/security/2018/dsa-4104

[landave]

That's right, they patched CVE-2017-17969, which affected ZIP decompression. Interestingly, I believe they didn't patch CVE-2018-5996 (affecting RAR), which I published [0] on January 23 together with CVE-2017-17969.

[0]: https://landave.io/2018/01/7-zip-multiple-memory-corruptions...

[carey]

The Debian security team doesn’t patch packages from the non-free repository, like the 7-Zip RAR support:

https://www.debian.org/security/faq#contrib

That would have to wait for the maintainer to upload a new version and get it into a stable release.

[fulafel]

Ubuntu doesn't get these patches, unless some non-Canonical volunteer puts in the effort to prepare a package and get a sponsor from Canonical. Future version of ubuntu will eventually get the fix because Ubuntu it will be forked off from a sufficiently new version of Debian.

here's the status of your DSA's vulnerability in Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2...

Here's the status of the post's vulnerability in Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2...

[qz3]

Yes, they are. I just removed p7zip from my arch box for now. Looking at the project, I think it may take a while to get up to 18.05