[ASA-201806-6] p7zip: arbitrary code execution
Remi Gacogne
rgacogne at archlinux.org
Sun Jun 10 10:36:05 UTC 2018
Arch Linux Security Advisory ASA-201806-6
=========================================
Severity: Critical
Date : 2018-06-09
CVE-ID : CVE-2018-10115
Package : p7zip
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-714
Summary
=======
The package p7zip before version 16.02-5 is vulnerable to arbitrary
code execution.
Resolution
==========
Upgrade to 16.02-5.
# pacman -Syu "p7zip>=16.02-5"
The problem has been fixed upstream in version 18.05.
Workaround
==========
None.
Description
===========
An uninitialized memory security issue has been found in the RAR
decoder component of 7-Zip before 18.05, resulting in arbitrary code
execution.
Impact
======
A remote attacker can execute arbitrary code via a crafted RAR file.
References
==========
https://bugs.archlinux.org/task/58907
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
https://landave.io/files/patch_7zip_CVE-2018-10115.txt
https://security.archlinux.org/CVE-2018-10115
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180610/5b339028/attachment.asc>
More information about the arch-security
mailing list