Re: HFS+ specific vulnerability
Brian May <bam@debian.org> writes:
> Will continue to check the code to make sure.
Actually looks like the vulnerable HFS+ is not present in the wheezy
version p7zip. In this version CPP/7zip/Archive/Hfs/HfsHandler.cpp is
only 243 lines, the exploit is in a function that doesn't exist on lines
1496 to 1575.
For the UDF case the code is a bit different, but it looks like it is
all there. So possibly might be worth fixing this.
I think there would need to be some code to disable the UDF code if it
isn't a UDF file system. Even if just for compression not
decompression. Still looking for this however.
--
Brian May <bam@debian.org>
Reply to: