On Tue, Dec 23, 2025 at 4:40 PM Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE LIMITED at Cisco) <[email protected]> wrote: > > Hi Anuj, > > As per p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116 ([3]) the > trace points to FindCd() and the proposed patch for the same was mentioned in > 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: CVE-2022-47069: p7zip: Heap > buffer overflow in ZipIn.cpp ([4]) > - git history of p7zip has no individual commit that has fixes this CVE, but > the changes mentioned in proposed patch are part of the latest version via > commit update zip archive file · p7zip-project/p7zip@d7a903f([1]) > - Compared the source code and tried adding similar changes as the proposed > patch. > - The proposed patch in 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: > CVE-2022-47069: p7zip: Heap buffer overflow in ZipIn.cpp ([4]) has incomplete > changes, therefore modified source code with the additional required changes.
Thank you for explaining. The patch that was finally applied for that bug is here: https://build.opensuse.org/projects/SUSE:SLE-15-SP6:Update/packages/p7zip/files/CVE-2023-1576.patch?expand=1 I will take the change in next series. > - With the added changes also confirmed that, there is no trace observed as > mentioned in bug p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116 > ([3]) > > Regards, > Vrushti > ________________________________ > From: [email protected] > <[email protected]> on behalf of Anuj Mittal via > lists.openembedded.org <[email protected]> > Sent: Tuesday, December 23, 2025 5:22 AM > To: Gyorgy Sarvari <[email protected]> > Cc: Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE LIMITED at Cisco) > <[email protected]>; [email protected] > <[email protected]> > Subject: Re: [oe] [meta-openembedded] [Scarthgap] [PATCH] p7zip 16.02: Fix > CVE-2022-47069 > > Hi, > > On Mon, Dec 22, 2025 at 11:53 PM Gyorgy Sarvari <[email protected]> wrote: > > > > Anuj, > > > > Do you see showstopper issues with this patch? Or did it just fell > > through the cracks accidentally? > > Sorry, I did have questions on this patch so didn't include it but > forgot to respond. Thank you for reminding. > > > > > On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE > > LIMITED at Cisco) via lists.openembedded.org wrote: > > > From: Vrushti Dabhi <[email protected]> > > > > > > Upstream Repository: https://sourceforge.net/projects/p7zip/ > > > > > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069 > > > Type: Security Fix > > > CVE: CVE-2022-47069 > > > Score: 7.8 > > > > > > Note: > > > - Commit [1] updates complete p7zip archive source for v17 and includes > > > changes > > > that fixes CVE-2022-47609, adapted fix related changes in current p7zip > > > v16.02. > > > - Similar changes via [2] have been integrated into the upstream 7zip > > > package, > > > which replaced p7zip 16.02 in OE-Core master. > > > For the testing: > > > - Verified fix using steps mentioned at [3], trace not observed. > > > - Validated against known malicious ZIP samples [3] > > > > > > References: > > > [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2 > > > [2] https://github.com/ip7z/7zip/commit/f19f813537c7 > > > [3] https://sourceforge.net/p/p7zip/bugs/241/ > > > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069 > > It looks like the patch attached in this bug is different from the > changes below. It's not clear to me how the fix was derived from [1] > and [2] and how is [4] relevant. > > Thanks, > > Anuj
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122833): https://lists.openembedded.org/g/openembedded-devel/message/122833 Mute This Topic: https://lists.openembedded.org/mt/116727783/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
