Register | Log in

p7zip

transitional package

Choose email to subscribe with

general

source: p7zip (main)
version: 16.02+transitional.1
maintainer: Robert Luberda (DMD)
arch: all
std-ver: 4.6.2
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 16.02+dfsg-8
oldstable: 16.02+dfsg-8
stable: 16.02+transitional.1

versioned links

16.02+dfsg-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
16.02+transitional.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

p7zip
p7zip-full

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

6 security issues in bullseye high

There are 6 open security issues in bullseye.

2 important issues:

CVE-2023-31102: Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
CVE-2023-40481: 7-Zip SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SQFS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18589.

4 issues postponed or untriaged:

CVE-2023-52168: (postponed; to be fixed through a stable update) The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc.
CVE-2025-11001: (postponed; to be fixed through a stable update) 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
CVE-2025-11002: (postponed; to be fixed through a stable update) 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743.
CVE-2025-55188: (postponed; to be fixed through a stable update) 7-Zip before 25.01 does not always properly handle symbolic links during extraction.

Created: 2026-03-02 Last update: 2026-03-06 23:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-52168: (needs triaging) The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc.

You can find information about how to handle this issue in the security team's documentation.

5 issues that should be fixed with the next stable update:

CVE-2023-31102: Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
CVE-2023-40481: 7-Zip SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SQFS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18589.
CVE-2025-11001: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
CVE-2025-11002: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743.
CVE-2025-55188: 7-Zip before 25.01 does not always properly handle symbolic links during extraction.

Created: 2024-11-09 Last update: 2026-03-06 23:30

news

[2025-09-22] p7zip REMOVED from testing (Debian testing watch)
[2025-09-08] Removed 16.02+transitional.1 from unstable (Debian FTP Masters)
[2024-01-21] p7zip 16.02+transitional.1 MIGRATED to testing (Debian testing watch)
[2024-01-10] Accepted p7zip 16.02+transitional.1 (source) into unstable (Robert Luberda)
[2020-08-20] p7zip 16.02+dfsg-8 MIGRATED to testing (Debian testing watch)
[2020-08-20] p7zip 16.02+dfsg-8 MIGRATED to testing (Debian testing watch)
[2020-08-15] Accepted p7zip 16.02+dfsg-8 (source) into unstable (Robert Luberda)
[2019-08-15] p7zip 16.02+dfsg-7 MIGRATED to testing (Debian testing watch)
[2019-08-09] Accepted p7zip 16.02+dfsg-7 (source) into unstable (Robert Luberda)
[2018-02-11] p7zip 16.02+dfsg-6 MIGRATED to testing (Debian testing watch)
[2018-02-10] Accepted p7zip 9.20.1~dfsg.1-4.1+deb8u3 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Salvatore Bonaccorso)
[2018-02-09] Accepted p7zip 16.02+dfsg-3+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2018-02-05] Accepted p7zip 16.02+dfsg-6 (source amd64) into unstable (Robert Luberda)
[2018-02-03] p7zip 16.02+dfsg-5 MIGRATED to testing (Debian testing watch)
[2018-02-02] Accepted p7zip 9.20.1~dfsg.1-4+deb7u3 (source amd64) into oldoldstable (Antoine Beaupré)
[2018-01-28] Accepted p7zip 16.02+dfsg-5 (source amd64) into unstable (Robert Luberda)
[2017-07-23] p7zip 16.02+dfsg-4 MIGRATED to testing (Debian testing watch)
[2017-07-15] Accepted p7zip 16.02+dfsg-4 (source amd64) into unstable (Robert Luberda)
[2017-04-13] p7zip 16.02+dfsg-3 MIGRATED to testing (Debian testing watch)
[2017-04-10] Accepted p7zip 16.02+dfsg-3 (source) into unstable (Robert Luberda)
[2016-11-25] p7zip 16.02+dfsg-2 MIGRATED to testing (Debian testing watch)
[2016-11-19] Accepted p7zip 16.02+dfsg-2 (source) into unstable (Robert Luberda)
[2016-08-26] p7zip 16.02+dfsg-1 MIGRATED to testing (Debian testing watch)
[2016-08-15] Accepted p7zip 16.02+dfsg-1 (source) into unstable (Robert Luberda)
[2016-06-10] Accepted p7zip 9.20.1~dfsg.1-4+deb7u2 (source i386) into oldstable (signed by: Brian May)
[2016-06-09] Accepted p7zip 9.20.1~dfsg.1-4.1+deb8u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2016-05-18] p7zip 15.14.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2016-05-15] Accepted p7zip 15.14.1+dfsg-2 (source) into unstable (Robert Luberda)
[2016-04-28] p7zip 15.14.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2016-04-16] Accepted p7zip 15.14.1+dfsg-1 (source) into unstable (Robert Luberda)

1
2

bugs [bug history graph]

all: 0

links

homepage
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing