Package: 7zip
Version: 24.09+dfsg-8
Severity: important
Tags: security
Debian stable (13.0).
Fix: Update to 7-Zip 25.01
Affected versions: 7-Zip prior to 25.01
Impact: Arbitrary file write, may lead to code execution
CVE ID: CVE-2025-55188
Hello.
There is vulnerability in 7zip which primarily affects Linux systems:
https://seclists.org/oss-sec/2025/q3/82
"7-Zip before 25.01 does not always properly handle symbolic links
during extraction. Prior to 25.01, it was possible for a
maliciously-crafted archive to create an unsafe symbolic link. 7-Zip
follows symbolic links when extracting, so this leads to arbitrary file
write."
"An attacker may leverage this arbitrary file write to achieve
unauthorized access/code execution, such as by overwriting a user's SSH
keys or .bashrc file"
More info: https://gbhackers.com/7-zip-vulnerability-3/
Release with fix: https://github.com/ip7z/7zip/releases/tag/25.01
Best regards,
JK
