emilazy
commented
10 hours ago I’ve backported all the updates up to 24.08 to 24.05. Channel updates are going to be a bit weird because Darwin is several weeks behind.
Closed nh2 closed 7 hours ago
emilazy
commented
10 hours ago I’ve backported all the updates up to 24.08 to 24.05. Channel updates are going to be a bit weird because Darwin is several weeks behind.
nh2
commented
7 hours ago Linking the backports:
Closing as solved.
7zz
https://www.zerodayinitiative.com/advisories/ZDI-24-1532/ reports an integer underflow vulnerability allowing code execution in 7-zip unpacking zstandard (zstd) archives.
Reported fixed in 7-zip 24.07, and thus the same version of
7zz(which is the official Linux CLI for 7-zip).nixpkgs
masteralready has 24.08, butnixos-24.05has7zz 24.05.The key fix to the issue appears to be here:
https://github.com/mcmilk/7-Zip/commit/14d4b3f5e43e1c9bf23d314dcb8fb76887f6e855#diff-896855d0e24931a930fa2e2a5e6c4a92d3589a70c1f8436d76e0f3c673888624L1311
I have not thoroughly analysed this code.
The first vulnerable release that includes this code seems to be
v24.01, whose beta was announced 2024-01-30, but whilev24.01it does have binary releases, the main release post is merged into the announcement ofv24.05from 2024-05-15 .The bugged code was added in 7-zip
24.01.Note I'm linking the Github of somebody else, because of further concern is:
7-zip does not have a proper (version control) code repository. It seems to be mainly a one-person project where only release code archives are published.
p7zip
There is also
p7zipin nixpkgs; it started as an (old fork of 7-zip to add Linux compat from before7zzexisted). It was said to be unmainteained for a while. Its version is v17.05 (latest p7zip upstream release) in bothnixos-24.05andmasterApparently in itsmaster, the p7zip project now names itselfp7zip-zstd(but only in the README, not the repo name), and according to the README now apparently derived from7zz Version 22.00. I checked that thep7zipin NixOS can indeed unpack.zstdarchives created byzstd.But
p7zipis probably not vulnerable because while the official 7-zip7zzimplements its own zstandard decoder, p7zip instead uses the official zstandard library.