FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
8f5c9dd6-5cac-11e5-9ad8-14dae9d210b8p7zip -- directory traversal vulnerability

Alexander Cherepanov reports:

7z (and 7zr) is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory.


Discovery 2015-01-05
Entry 2015-09-16
p7zip
< 9.38.1_2

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660
http://www.openwall.com/lists/oss-security/2015/01/11/2
http://sourceforge.net/p/p7zip/bugs/147/
CVE-2015-1038
d706a3a3-4a7c-11e6-97f7-5453ed2e2b49p7zip -- out-of-bounds read vulnerability

Cisco Talos reports:

An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files.

Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the "PartitionRef" field from the Long Allocation Descriptor. Lack of checking whether the "PartitionRef" field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.


Discovery 2016-05-11
Entry 2016-07-15
p7zip
< 15.14_1

CVE-2016-2335
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49p7zip -- heap overflow vulnerability

Cisco Talos reports:

An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution.


Discovery 2016-05-11
Entry 2016-07-15
p7zip
< 15.14_1

CVE-2016-2334
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
942fff11-5ac4-11ec-89ea-c85b76ce9b5ap7zip -- usage of uninitialized memory

NVD reports:

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.


Discovery 2018-05-02
Entry 2021-12-11
p7zip
< 18.05

CVE-2018-10115
https://nvd.nist.gov/vuln/detail/CVE-2018-10115
48e83187-b6e9-11e6-b6cf-5453ed2e2b49p7zip -- Null pointer dereference

MITRE reports:

A null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable folders.PackPositions in function CInArchive::ReadAndDecodePackedStreams, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files.


Discovery 2016-07-17
Entry 2016-11-30
p7zip
< 15.14_2

CVE-2016-9296
https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/
https://sourceforge.net/p/p7zip/bugs/185/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296
6d337396-0e4a-11e8-94c0-5453ed2e2b49p7zip -- heap-based buffer overflow

MITRE reports:

Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service (out-of-bounds write) or potentially execute arbitrary code via a crafted ZIP archive.


Discovery 2018-01-23
Entry 2018-02-10
p7zip
< 16.02_1

CVE-2017-17969
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969
https://nvd.nist.gov/vuln/detail/CVE-2017-17969
https://marc.info/?l=bugtraq&=151782582216805&=2