Security update for p7zip SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0464-1 Final 1 1 2018-02-16T12:45:57Z current 2018-02-16T12:45:57Z 2018-02-16T12:45:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for p7zip This update for p7zip fixes the following issues: Security issues fixed: - CVE-2016-1372: Fixed multiple vulnerabilities when processing crafted 7z files (bsc#984650) - CVE-2017-17969: Fixed a heap-based buffer overflow in a shrink decoder (bsc#1077725) - CVE-2018-5996: Fixed memory corruption in RAR decompression. The complete RAR decoder was removed as it also has license issues (bsc#1077724 bsc#1077978) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP2-2018-319,SUSE-SLE-DESKTOP-12-SP3-2018-319,SUSE-SLE-RPI-12-SP2-2018-319,SUSE-SLE-SERVER-12-SP2-2018-319,SUSE-SLE-SERVER-12-SP3-2018-319 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180464-1/ Link for SUSE-SU-2018:0464-1 https://lists.suse.com/pipermail/sle-security-updates/2018-February/003737.html E-Mail link for SUSE-SU-2018:0464-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1077724 SUSE Bug 1077724 https://bugzilla.suse.com/1077725 SUSE Bug 1077725 https://bugzilla.suse.com/1077978 SUSE Bug 1077978 https://bugzilla.suse.com/984650 SUSE Bug 984650 https://www.suse.com/security/cve/CVE-2016-1372/ SUSE CVE CVE-2016-1372 page https://www.suse.com/security/cve/CVE-2017-17969/ SUSE CVE CVE-2017-17969 page https://www.suse.com/security/cve/CVE-2018-5996/ SUSE CVE CVE-2018-5996 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 p7zip-9.20.1-7.3.1 p7zip-9.20.1-7.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 p7zip-9.20.1-7.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 p7zip-9.20.1-7.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 p7zip-9.20.1-7.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 p7zip-9.20.1-7.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 p7zip-9.20.1-7.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 p7zip-9.20.1-7.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 ClamAV (aka Clam AntiVirus) before 0.99.2 allows remote attackers to cause a denial of service (application crash) via a crafted 7z file. CVE-2016-1372 SUSE Linux Enterprise Desktop 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Desktop 12 SP3:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server 12 SP3:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:p7zip-9.20.1-7.3.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180464-1/ https://www.suse.com/security/cve/CVE-2016-1372.html CVE-2016-1372 https://bugzilla.suse.com/984650 SUSE Bug 984650 Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service (out-of-bounds write) or potentially execute arbitrary code via a crafted ZIP archive. CVE-2017-17969 SUSE Linux Enterprise Desktop 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Desktop 12 SP3:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server 12 SP3:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:p7zip-9.20.1-7.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180464-1/ https://www.suse.com/security/cve/CVE-2017-17969.html CVE-2017-17969 https://bugzilla.suse.com/1077725 SUSE Bug 1077725 Insufficient exception handling in the method NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip can lead to multiple memory corruptions within the PPMd code, allows remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive. CVE-2018-5996 SUSE Linux Enterprise Desktop 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Desktop 12 SP3:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server 12 SP3:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:p7zip-9.20.1-7.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:p7zip-9.20.1-7.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180464-1/ https://www.suse.com/security/cve/CVE-2018-5996.html CVE-2018-5996 https://bugzilla.suse.com/1077724 SUSE Bug 1077724