Re: HFS+ specific vulnerability

To: debian-lts@lists.debian.org
Subject: Re: HFS+ specific vulnerability
From: Brian May <bam@debian.org>
Date: Fri, 03 Jun 2016 18:05:06 +1000
Message-id: <[🔎] 8737ou8zpp.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 8760tq91jf.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 871t4g9h01.fsf@prune.linuxpenguins.xyz> <[🔎] 1464853872.2847.92.camel@decadent.org.uk> <[🔎] 8760tq91jf.fsf@prune.linuxpenguins.xyz>

Brian May <bam@debian.org> writes:

> Will continue to check the code to make sure.

Actually looks like the vulnerable HFS+ is not present in the wheezy
version p7zip. In this version CPP/7zip/Archive/Hfs/HfsHandler.cpp is
only 243 lines, the exploit is in a function that doesn't exist on lines
1496 to 1575.

For the UDF case the code is a bit different, but it looks like it is
all there. So possibly might be worth fixing this.

I think there would need to be some code to disable the UDF code if it
isn't a UDF file system. Even if just for compression not
decompression. Still looking for this however.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: HFS+ specific vulnerability
  - From: Brian May <bam@debian.org>

References:
- HFS+ specific vulnerability
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: HFS+ specific vulnerability
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: HFS+ specific vulnerability
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Security update of dhcpd5
Next by Date: Re: HFS+ specific vulnerability
Previous by thread: Re: HFS+ specific vulnerability
Next by thread: Re: HFS+ specific vulnerability
Index(es):
- Date
- Thread