-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 18 Oct 2024 01:45:17 +0900 Source: 7zip Architecture: source Version: 22.01+dfsg-8+deb12u1 Distribution: bookworm Urgency: medium Maintainer: YOKOTA Hiroshi <yokota.hgml@gmail.com> Changed-By: YOKOTA Hiroshi <yokota.hgml@gmail.com> Changes: 7zip (22.01+dfsg-8+deb12u1) bookworm; urgency=medium . * Fix CVE-2023-52168 (buffer overflow) and CVE-2023-52169 (buffer over-read) . * CVE-2023-52168: heap-based buffer overflow NTFS handler allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size. * CVE-2023-52169: out-of-bounds read NTFS handler allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. . Detailed report about these issues are available at: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ Checksums-Sha1: f7f75209af54714b7278caae7d7e4d14dc53641c 1943 7zip_22.01+dfsg-8+deb12u1.dsc 1a8238aaa7414f14e655d2d4f86d4988bf2ff71d 12428 7zip_22.01+dfsg-8+deb12u1.debian.tar.xz 906961708bac0883b2a8af637a5879e7088113f8 5493 7zip_22.01+dfsg-8+deb12u1_source.buildinfo Checksums-Sha256: 1c4de3c09edbe16dcb64664eeca345800f10b2326ecbf899cb6166c1fc00042f 1943 7zip_22.01+dfsg-8+deb12u1.dsc db397518db0bc29c5e113f07f07f534d36838cbf1e3a2e88996541c7f97d4010 12428 7zip_22.01+dfsg-8+deb12u1.debian.tar.xz 6708ab8ea2124325367b5c5cd8157f723af29b6fe695ae880fee7cc8347d4e94 5493 7zip_22.01+dfsg-8+deb12u1_source.buildinfo Files: b1b82c41cdcca951b0a5b20380ef5ed1 1943 utils optional 7zip_22.01+dfsg-8+deb12u1.dsc 7c87c66626e9669cbed96db13047d070 12428 utils optional 7zip_22.01+dfsg-8+deb12u1.debian.tar.xz d07775932b51ffd2f0665d714ae6736a 5493 utils optional 7zip_22.01+dfsg-8+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJKBAEBCgA0FiEErjlfKHqxT11VFyPEqem2T5LebcoFAmcRSmYWHHlva290YS5o Z21sQGdtYWlsLmNvbQAKCRCp6bZPkt5tyuJAD/0arH3m+gOHmqDO3g1MNZxrlf+s w2+mxmVkSzsFwgjKYTMLIZTqc1AY6nPbraEBDgqk1D8xPE2PoX8KK61FLwqEDZfV ZBTFWj21PBAXDdxxifRIiW3Fn9VsxuLLJAyIzoxeoT9a6q65fKEhfSv47xoRa0EK wHu4DZt7ZphD7ySWNDJ/CKFUN8UZ1q+LTm6XfWSCkBOWE0Gf/1YHqgwPC4Nk3Psi ONFnAJbuyGMN8v7W1KTk0oQV89XU0j/anrv4wEsxudCwniCw4S7dPcHBBGXM+TLW hbWs56fazrBVijfBeQwzGFJQd/pqNjD2zlUKIIsdF/wX+XdyPDyCXv5HcQd6HUHU TmmANrrUBoLMF6s8SbOQvsJS9Zg+Foayeyl1aSZii9mkkfepI5R2EcPS2YJ38VqV jfz5woVqdCNMI8dL/6wA8821uu51ywYgLoL8CVMkuvllgLUwkIs5g5BrqPbuH72n 1Qm0srnkXuVOTIHr/qt1uJDp/qZ8PejiUKlzlZRT7x4LyGWjgw7bee2wVUC2S5gj 1TL8jfYtgLP/WircWAWKHY5paJhH0hKtpbUdiG2ip9aEbg+jS9tevNKdX/nTdYV/ 2xGYuV1TmGyXvuJpX9DvvuEhhFu6zVUGURCI7D1v86Ywu9O7t13tb4Vce4FS0MO9 lJVHQFBQUApanrgPYg== =H7sX -----END PGP SIGNATURE-----