Vulnerability CVE-2017-17969: Information

Description

Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service (out-of-bounds write) or potentially execute arbitrary code via a crafted ZIP archive.

Severity: HIGH (7.8) Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-17969
Published: Jan. 30, 2018
Modified: March 21, 2019
Error type identifier: CWE-787

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
p7zipsisyphus16.02-alt317.05-alt2ALT-PU-2018-2591-1216092Fixed
p7zipp1016.02-alt317.05-alt2ALT-PU-2018-2591-1216092Fixed
p7zipp916.02-alt316.02-alt5ALT-PU-2018-2591-1216092Fixed
p7zipc10f116.02-alt317.04-alt1ALT-PU-2018-2591-1216092Fixed
p7zipc9f216.02-alt317.04-alt2ALT-PU-2018-2591-1216092Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/
  • Exploit
  • Technical Description
  • Third Party Advisory
[debian-lts-announce] 20180202 [SECURITY] [DLA 1268-1] p7zip security update
  • Mailing List
  • Third Party Advisory
DSA-4104
  • Third Party Advisory
https://0patch.blogspot.si/2018/02/two-interesting-micropatches-for-7-zip.html
    1040831
      USN-3913-1

          1. Configuration 1

            cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*
            End excliding
            18.00
            cpe:2.3:a:7-zip:p7zip:*:*:*:*:*:*:*:*
            End excliding
            18.0

            Configuration 2

            cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
            cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
            cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.0
        Back to top