984650 – (CVE-2016-1372) VUL-0: CVE-2016-1372: clamav,p7zip: Multiple vulnerabilities when processing crafted 7z files

Bug 984650 (CVE-2016-1372) - VUL-0: CVE-2016-1372: clamav,p7zip: Multiple vulnerabilities when processing crafted 7z files

Summary: VUL-0: CVE-2016-1372: clamav,p7zip: Multiple vulnerabilities when processing ...

Status:	RESOLVED FIXED

Alias:	CVE-2016-1372

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170063/
Whiteboard:	CVSSv2:SUSE:CVE-2016-1372:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-14 13:17 UTC by Marcus Meissner
Modified:	2021-06-07 09:55 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
../sample.7z (104 bytes, application/octet-stream) 2016-06-14 13:27 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-14 13:17:44 UTC

https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/

CVE-2016-1372 – Multiple vulnerabilities when processing crafted 7z files

Comment 1 Marcus Meissner 2016-06-14 13:19:36 UTC

according to the webpage already fixed in clamav 0.99.2.

Comment 2 Marcus Meissner 2016-06-14 13:27:48 UTC

Created attachment 680767 [details]
../sample.7z

QA REPRODUCER:

7z l sample.7z

should not crash

Comment 3 Marcus Meissner 2016-06-14 13:28:22 UTC

this is one sample from 

GIT : https://github.com/brandonprry/clamav-fuzz

subdirectory crashes/*

Comment 4 Swamp Workflow Management 2016-06-14 22:01:03 UTC

bugbot adjusting priority

Comment 5 Kristyna Streitova 2018-02-09 17:25:13 UTC

P7zip
-----

|    Codestream    |   Request    |
|------------------|--------------|
| SLE-12:Update    | #154442      |
| openSUSE:Leap    | via SLE12    |
| openSUSE:Factory | not affected |

Done. I'm reassigning it back to the security team.

Comment 7 Swamp Workflow Management 2018-02-16 17:09:24 UTC

SUSE-SU-2018:0464-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1077724,1077725,1077978,984650
CVE References: CVE-2016-1372,CVE-2017-17969,CVE-2018-5996
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    p7zip-9.20.1-7.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    p7zip-9.20.1-7.3.1

Comment 8 Swamp Workflow Management 2018-02-20 17:17:19 UTC

openSUSE-SU-2018:0497-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1077724,1077725,1077978,984650
CVE References: CVE-2016-1372,CVE-2017-17969,CVE-2018-5996
Sources used:
openSUSE Leap 42.3 (src):    p7zip-9.20.1-18.3.1

Comment 9 Marcus Meissner 2018-02-21 06:34:14 UTC

fixed