Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2024-11477? #240

Open
l29ah opened this issue Nov 22, 2024 · 3 comments
Open

CVE-2024-11477? #240

l29ah opened this issue Nov 22, 2024 · 3 comments

Comments

@l29ah
Copy link

l29ah commented Nov 22, 2024

Is this project vulnerable to https://www.zerodayinitiative.com/advisories/ZDI-24-1532/
?

@Neustradamus
Copy link

@l29ah: If the 7zip source code is not updated to 24.08, I think yes.

@Arcitec
Copy link

Arcitec commented Nov 26, 2024

From what I understand, this p7zip project is not the same thing and is a reimplementation.

But Low Level Learning has made a video pinpointing the 3 lines that actually fixed the bug. So it may need to be ported to p7zip:

https://youtube.com/watch?v=i5L9xEk_adw

If the same integer underflow math bug exists here then it's in need of fixing here too.

@kepstin
Copy link

kepstin commented Nov 27, 2024

Based on the video by "Low Level", it's unlikely that the CVE applies. The bug appears to have been in 7-Zip's reimplementation of the Zstandard compression algorithm, but p7zip uses the externally developed zstd library instead. That said, p7zip currently includes zstd 1.5.2, which is somewhat out of date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants