Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted p7zip 16.02+really25.01+dfsg-0+deb11u1 (source) into oldoldstable-security
Date: Mon, 11 May 2026 12:30:14 +0000
Signed by: Sylvain Beucler <beuc@beuc.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 11 May 2026 09:30:20 +0200
Source: p7zip
Architecture: source
Version: 16.02+really25.01+dfsg-0+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 1111068
Changes:
 p7zip (16.02+really25.01+dfsg-0+deb11u1) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * Rebuild for bullseye.
   * Adjust debian/gbp.conf and debian/salsa-ci.yml for bullseye.
 .
 p7zip (16.02+really25.01+dfsg-0+deb12u1) bookworm; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * Move codebase to 7-Zip (not p7zip) upstream 25.01, fixes:
     - CVE-2022-47069: heap-buffer-overflow vulnerability via the function
       NArchive::NZip::CInArchive::FindCd
     - CVE-2023-31102: Ppmd7.c allows an integer underflow and invalid read
       operation via a crafted 7Z archive.
     - CVE-2023-40481: SquashFS File Parsing Out-Of-Bounds Write RCE
     - CVE-2023-52168: heap-based buffer overflow in NTFS handler
     - CVE-2023-52169: out-of-bounds read in NTFS handler
     - CVE-2024-11612: CopyCoder Infinite Loop Denial-of-Service
     - CVE-2025-11001: ZIP File Parsing Directory Traversal RCE
     - CVE-2025-11002: ZIP File Parsing Directory Traversal RCE
     - CVE-2025-53817: null pointer dereference in the Compound handler may
       lead to denial of service
     - CVE-2025-55188: does not always properly handle symbolic links
       during extraction. (Closes: #1111068)
   * Add NEWS entry and edit package description about the codebase change.
   * Drop assembly support, which would require asmc-linux, not present
     before trixie, or re-porting the ASM code to yasm as p7zip did.
   * Make 7-Zip behave like p7zip to avoid compatibility issues:
     - d/p/p7zip-compat-version-output.patch: mimic p7zip output
     - d/p/p7zip-compat-symlinks.patch: mimic symlinks handling
     - d/p/p7zip-compat-utf16.patch: mimic -[no-]utf16 options
   * Sync patches from 25.01+dfsg-1~deb13u1:
     - drop all old patches
     - drop new patches:
       - 000*-Use-c-flags-for-asmc.patch (no ASM)
       - 000*-Add-fpic-for-Asmc-options.patch (no ASM)
       - 000*-Use-system-locale-to-select-codepage-for-legacy-zip-.patch
         (behavior change)
   * Selectively import packaging from trixie, to avoid disruption in
     stable release:
     - Sync debian/copyright.
     - Import debian/rules, drop ASM rules, adapt p7zip.install and
       p7zip-full.install, add dependency to dh-exec for *.install
       rename support (as in the 7zip package).
     - Adjust d/p7zip-full.docs, drop d/p7zip-full.doc-base and
       d/p7zip-full.links (no more HTML documentation).
     - Import debian/man/ from trixie (except for 7zz.1), merge
       d/p7zip.1 to debian/man/ (same file), make 7zr.1 the primary
       file (as it's the only one in the p7zip base package / !full).
     - Import debian/test/ (except for 7zz tests).
     - Drop debian/format/ options.
   * Stub debian/watch (reuse 7zip tarball instead).
   * Enable Salsa CI.
   * Configure git-buildpackage for oldstable.
Checksums-Sha1:
 49f0a9d7b75f5ebee38ce33e80005a67d95f2b99 2026 p7zip_16.02+really25.01+dfsg-0+deb11u1.dsc
 60dae021cb41e62d50e1e43a20adf9c18d45250f 1529512 p7zip_16.02+really25.01+dfsg.orig.tar.xz
 3d0dfd1e126fd065d45df855961d999668cd17d7 21256 p7zip_16.02+really25.01+dfsg-0+deb11u1.debian.tar.xz
 1a33f63865ceda0c54a3ee89d8fac888568cba29 5940 p7zip_16.02+really25.01+dfsg-0+deb11u1_source.buildinfo
Checksums-Sha256:
 fc8233fc85282d9e55fb1e0c343fe40d194baa3fe40e6d5f28d2065393bfec6b 2026 p7zip_16.02+really25.01+dfsg-0+deb11u1.dsc
 077c424cd50001e2be8847892522bc83e807e0b9448af1b69512c03d769c88ef 1529512 p7zip_16.02+really25.01+dfsg.orig.tar.xz
 e3a8dc371384f8b93ede68b02bd5909f34f96d50ade8b04b9695b628f44e4271 21256 p7zip_16.02+really25.01+dfsg-0+deb11u1.debian.tar.xz
 96a087247fdc4d3e5df03783f828e2d023da9d601a0614fcb01cb34319a1c033 5940 p7zip_16.02+really25.01+dfsg-0+deb11u1_source.buildinfo
Files:
 9907d7cdf0aef78bb03645021c0f6a84 2026 utils optional p7zip_16.02+really25.01+dfsg-0+deb11u1.dsc
 0ef56a0d775ad6eda416d5861a56a2a7 1529512 utils optional p7zip_16.02+really25.01+dfsg.orig.tar.xz
 d78ad289d0a92f957be7e0ffd4c71a43 21256 utils optional p7zip_16.02+really25.01+dfsg-0+deb11u1.debian.tar.xz
 2e3d1fbc577fbe78b6ef1ae4c5163207 5940 utils optional p7zip_16.02+really25.01+dfsg-0+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmoBx3YACgkQDTl9HeUl
XjCczw//enSwbM619Nj8l7eE8JLx0DFWa3E9o/3t53RfqjoX4wRN2uGoaYfe9pDz
lcyIWGOImVlhzLnQ/rky4tjqg+laK1sUtrQuTp9NAoq5gMzV03T2c6fYzMc6pesd
0WfX50E85QoJSPPy61SmKcnZcvHQK5ZVQPPSDBmO+dOcU7V3IUL7s+RuFIYXESq0
7QjtEsxmwUY6u+6w2expmUufkb5H+FUw4c8ve/ysU3AVGueGp6foBBlJcFzsAPql
3NIqNVlIe2BLG7JFzpcXMOIeSfboEwl2ttg8kiJjnQhH8n2usSYTBiXe6M8iI0Jj
JwZHhra+BH3LXKpqkuxhWw/VKyiYFARmn69nDVPuBCMgZM9gxlD9BmeKCX+39v9G
W/3D6kJuiCM70arx23RYkMwewVF7Rg1NjLyzFFr7Ls2QwA0qJH3bXRa5TnaYeja2
5J0GPr+cqU92zDedhwJrS2Z/uBK90NAW0b7hjbjfKNtxQyvihIYpTN9kmiN2uBYe
9zCBMVvA/j79Ydvx8CfybYMRB+nM9RtJoyEy/iQcFGcANPGSPWIIXnm9ZBjwCqPo
EZa5NXfDlJxlc0Ty5Ey9nWoh/EWzkIpL92onFQ7v2n82yBxhUtG2WjFHXphzvC72
P360GoirDBAZUTDYpUu4DYsSMT2nHstEmn1QFNUp69F05ix14AE=
=V8S0
-----END PGP SIGNATURE-----
News for package p7zip
