Register | Log in

p7zip

transitional package

Choose email to subscribe with

general

source: p7zip (main)
version: 16.02+transitional.1
maintainer: Robert Luberda (DMD)
arch: all
std-ver: 4.6.2
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 16.02+dfsg-8
o-o-sec: 16.02+really25.01+dfsg-0+deb11u1
oldstable: 16.02+really25.01+dfsg-0+deb12u1
stable: 16.02+transitional.1

versioned links

16.02+dfsg-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
16.02+really25.01+dfsg-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
16.02+really25.01+dfsg-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
16.02+transitional.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

p7zip
p7zip-full

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2026-48095: 7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.
CVE-2026-48112: 7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.

Created: 2026-05-28 Last update: 2026-06-06 03:48

news

[2026-05-11] Accepted p7zip 16.02+really25.01+dfsg-0+deb11u1 (source) into oldoldstable-security (Sylvain Beucler)
[2026-05-03] Accepted p7zip 16.02+really25.01+dfsg-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sylvain Beucler)
[2025-09-22] p7zip REMOVED from testing (Debian testing watch)
[2025-09-08] Removed 16.02+transitional.1 from unstable (Debian FTP Masters)
[2024-01-21] p7zip 16.02+transitional.1 MIGRATED to testing (Debian testing watch)
[2024-01-10] Accepted p7zip 16.02+transitional.1 (source) into unstable (Robert Luberda)
[2020-08-20] p7zip 16.02+dfsg-8 MIGRATED to testing (Debian testing watch)
[2020-08-20] p7zip 16.02+dfsg-8 MIGRATED to testing (Debian testing watch)
[2020-08-15] Accepted p7zip 16.02+dfsg-8 (source) into unstable (Robert Luberda)
[2019-08-15] p7zip 16.02+dfsg-7 MIGRATED to testing (Debian testing watch)
[2019-08-09] Accepted p7zip 16.02+dfsg-7 (source) into unstable (Robert Luberda)
[2018-02-11] p7zip 16.02+dfsg-6 MIGRATED to testing (Debian testing watch)
[2018-02-10] Accepted p7zip 9.20.1~dfsg.1-4.1+deb8u3 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Salvatore Bonaccorso)
[2018-02-09] Accepted p7zip 16.02+dfsg-3+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2018-02-05] Accepted p7zip 16.02+dfsg-6 (source amd64) into unstable (Robert Luberda)
[2018-02-03] p7zip 16.02+dfsg-5 MIGRATED to testing (Debian testing watch)
[2018-02-02] Accepted p7zip 9.20.1~dfsg.1-4+deb7u3 (source amd64) into oldoldstable (Antoine Beaupré)
[2018-01-28] Accepted p7zip 16.02+dfsg-5 (source amd64) into unstable (Robert Luberda)
[2017-07-23] p7zip 16.02+dfsg-4 MIGRATED to testing (Debian testing watch)
[2017-07-15] Accepted p7zip 16.02+dfsg-4 (source amd64) into unstable (Robert Luberda)
[2017-04-13] p7zip 16.02+dfsg-3 MIGRATED to testing (Debian testing watch)
[2017-04-10] Accepted p7zip 16.02+dfsg-3 (source) into unstable (Robert Luberda)
[2016-11-25] p7zip 16.02+dfsg-2 MIGRATED to testing (Debian testing watch)
[2016-11-19] Accepted p7zip 16.02+dfsg-2 (source) into unstable (Robert Luberda)
[2016-08-26] p7zip 16.02+dfsg-1 MIGRATED to testing (Debian testing watch)
[2016-08-15] Accepted p7zip 16.02+dfsg-1 (source) into unstable (Robert Luberda)
[2016-06-10] Accepted p7zip 9.20.1~dfsg.1-4+deb7u2 (source i386) into oldstable (signed by: Brian May)
[2016-06-09] Accepted p7zip 9.20.1~dfsg.1-4.1+deb8u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2016-05-18] p7zip 15.14.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2016-05-15] Accepted p7zip 15.14.1+dfsg-2 (source) into unstable (Robert Luberda)

1
2

bugs [bug history graph]

all: 0

links

homepage
buildd: logs
popcon
browse source code
other distros
security tracker

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing