Security update for p7zip SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2625-1 Final 1 1 2024-07-30T07:06:50Z current 2024-07-30T07:06:50Z 2024-07-30T07:06:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for p7zip This update for p7zip fixes the following issues: - CVE-2023-52168: Fixed heap-based buffer overflow in the NTFS handler allows two bytes to be overwritten at multiple offsets (bsc#1227358) - CVE-2023-52169: Fixed out-of-bounds read in NTFS handler (bsc#1227359) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2625,SUSE-SLE-Module-Basesystem-15-SP5-2024-2625,SUSE-SLE-Module-Basesystem-15-SP6-2024-2625,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2625,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2625,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2625,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2625,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-2625,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2625,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2625,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2625,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2625,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2625,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2625,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-2625,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-2625,SUSE-Storage-7.1-2024-2625,openSUSE-SLE-15.5-2024-2625,openSUSE-SLE-15.6-2024-2625 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242625-1/ Link for SUSE-SU-2024:2625-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/019049.html E-Mail link for SUSE-SU-2024:2625-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227358 SUSE Bug 1227358 https://bugzilla.suse.com/1227359 SUSE Bug 1227359 https://www.suse.com/security/cve/CVE-2023-52168/ SUSE CVE CVE-2023-52168 page https://www.suse.com/security/cve/CVE-2023-52169/ SUSE CVE CVE-2023-52169 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 openSUSE Leap 15.5 openSUSE Leap 15.6 p7zip-16.02-150200.14.12.1 p7zip-doc-16.02-150200.14.12.1 p7zip-full-16.02-150200.14.12.1 p7zip-16.02-150200.14.12.1 as a component of SUSE Enterprise Storage 7.1 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Enterprise Storage 7.1 p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 p7zip-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 p7zip-16.02-150200.14.12.1 as a component of SUSE Manager Proxy 4.3 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Manager Proxy 4.3 p7zip-16.02-150200.14.12.1 as a component of SUSE Manager Server 4.3 p7zip-full-16.02-150200.14.12.1 as a component of SUSE Manager Server 4.3 p7zip-16.02-150200.14.12.1 as a component of openSUSE Leap 15.5 p7zip-doc-16.02-150200.14.12.1 as a component of openSUSE Leap 15.5 p7zip-full-16.02-150200.14.12.1 as a component of openSUSE Leap 15.5 p7zip-16.02-150200.14.12.1 as a component of openSUSE Leap 15.6 p7zip-doc-16.02-150200.14.12.1 as a component of openSUSE Leap 15.6 p7zip-full-16.02-150200.14.12.1 as a component of openSUSE Leap 15.6 The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. CVE-2023-52168 SUSE Enterprise Storage 7.1:p7zip-16.02-150200.14.12.1 SUSE Enterprise Storage 7.1:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP2-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP2-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP3-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP3-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP4-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP4-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:p7zip-full-16.02-150200.14.12.1 SUSE Manager Proxy 4.3:p7zip-16.02-150200.14.12.1 SUSE Manager Proxy 4.3:p7zip-full-16.02-150200.14.12.1 SUSE Manager Server 4.3:p7zip-16.02-150200.14.12.1 SUSE Manager Server 4.3:p7zip-full-16.02-150200.14.12.1 openSUSE Leap 15.5:p7zip-16.02-150200.14.12.1 openSUSE Leap 15.5:p7zip-doc-16.02-150200.14.12.1 openSUSE Leap 15.5:p7zip-full-16.02-150200.14.12.1 openSUSE Leap 15.6:p7zip-16.02-150200.14.12.1 openSUSE Leap 15.6:p7zip-doc-16.02-150200.14.12.1 openSUSE Leap 15.6:p7zip-full-16.02-150200.14.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242625-1/ https://www.suse.com/security/cve/CVE-2023-52168.html CVE-2023-52168 https://bugzilla.suse.com/1227358 SUSE Bug 1227358 The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. CVE-2023-52169 SUSE Enterprise Storage 7.1:p7zip-16.02-150200.14.12.1 SUSE Enterprise Storage 7.1:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP2-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP2-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP3-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP3-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP4-LTSS:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server 15 SP4-LTSS:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:p7zip-full-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:p7zip-16.02-150200.14.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:p7zip-full-16.02-150200.14.12.1 SUSE Manager Proxy 4.3:p7zip-16.02-150200.14.12.1 SUSE Manager Proxy 4.3:p7zip-full-16.02-150200.14.12.1 SUSE Manager Server 4.3:p7zip-16.02-150200.14.12.1 SUSE Manager Server 4.3:p7zip-full-16.02-150200.14.12.1 openSUSE Leap 15.5:p7zip-16.02-150200.14.12.1 openSUSE Leap 15.5:p7zip-doc-16.02-150200.14.12.1 openSUSE Leap 15.5:p7zip-full-16.02-150200.14.12.1 openSUSE Leap 15.6:p7zip-16.02-150200.14.12.1 openSUSE Leap 15.6:p7zip-doc-16.02-150200.14.12.1 openSUSE Leap 15.6:p7zip-full-16.02-150200.14.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242625-1/ https://www.suse.com/security/cve/CVE-2023-52169.html CVE-2023-52169 https://bugzilla.suse.com/1227359 SUSE Bug 1227359