Hi Anuj, As per p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116<https://sourceforge.net/p/p7zip/bugs/241/> ([3]) the trace points to FindCd() and the proposed patch for the same was mentioned in 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: CVE-2022-47069: p7zip: Heap buffer overflow in ZipIn.cpp<https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069> ([4]) - git history of p7zip has no individual commit that has fixes this CVE, but the changes mentioned in proposed patch are part of the latest version via commit update zip archive file · p7zip-project/p7zip@d7a903f<https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2>([1]) - Compared the source code and tried adding similar changes as the proposed patch. - The proposed patch in 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: CVE-2022-47069: p7zip: Heap buffer overflow in ZipIn.cpp<https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069> ([4]) has incomplete changes, therefore modified source code with the additional required changes. - With the added changes also confirmed that, there is no trace observed as mentioned in bug p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116<https://sourceforge.net/p/p7zip/bugs/241/> ([3])
Regards, Vrushti ________________________________ From: [email protected] <[email protected]> on behalf of Anuj Mittal via lists.openembedded.org <[email protected]> Sent: Tuesday, December 23, 2025 5:22 AM To: Gyorgy Sarvari <[email protected]> Cc: Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE LIMITED at Cisco) <[email protected]>; [email protected] <[email protected]> Subject: Re: [oe] [meta-openembedded] [Scarthgap] [PATCH] p7zip 16.02: Fix CVE-2022-47069 Hi, On Mon, Dec 22, 2025 at 11:53 PM Gyorgy Sarvari <[email protected]> wrote: > > Anuj, > > Do you see showstopper issues with this patch? Or did it just fell > through the cracks accidentally? Sorry, I did have questions on this patch so didn't include it but forgot to respond. Thank you for reminding. > > On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE > LIMITED at Cisco) via lists.openembedded.org wrote: > > From: Vrushti Dabhi <[email protected]> > > > > Upstream Repository: https://sourceforge.net/projects/p7zip/ > > > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069 > > Type: Security Fix > > CVE: CVE-2022-47069 > > Score: 7.8 > > > > Note: > > - Commit [1] updates complete p7zip archive source for v17 and includes > > changes > > that fixes CVE-2022-47609, adapted fix related changes in current p7zip > > v16.02. > > - Similar changes via [2] have been integrated into the upstream 7zip > > package, > > which replaced p7zip 16.02 in OE-Core master. > > For the testing: > > - Verified fix using steps mentioned at [3], trace not observed. > > - Validated against known malicious ZIP samples [3] > > > > References: > > [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2 > > [2] https://github.com/ip7z/7zip/commit/f19f813537c7 > > [3] https://sourceforge.net/p/p7zip/bugs/241/ > > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069 It looks like the patch attached in this bug is different from the changes below. It's not clear to me how the fix was derived from [1] and [2] and how is [4] relevant. Thanks, Anuj
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122827): https://lists.openembedded.org/g/openembedded-devel/message/122827 Mute This Topic: https://lists.openembedded.org/mt/116727783/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
