P7zip update required

extra/p7zip is outdated, CVE-2023-31102, CVE-2023-40481 are dangerous.

I want to have a new version.

How do I report issues with Manjaro packages? Unfortunately, I did not find the respective package in Extra · GitLab in order to file an issue there!

I will use aur/7-zip-full in the meanwhile.

Thanks
Samuel

Are you sure the Windows software 7-zip is the same as p7zip?

1 Like

I had to make that replacement a few months ago. The extra/p7zip package mentioned by Samuel is not the same as Windows 7-Zip, however, the 7-zip-full package found in the AUR, as I understand it, is. I used the same 7-zip-full package which solved some emerging compatibilty issues at the time.

With these CVE-2023-31102, and CVE-2023-40481 advisaries, now is probably a good time to replace p7zip as a dependency in packages that use it, all Unix variants.

Oh, and this has been my first forum post! Greetings all. Cheers.

pacman -Si p7zip
[...]
Packager        : Evangelos Foutras <foutrelis@archlinux.org>
[...]

Because the package comes directly from Arch.

1 Like

p7zip is supposedly “p7zip - the port of the command line version of 7-Zip to Linux/Posix”. however the original p7zip project in sourceforge is dormant since 2016. most distros including arch has opted for the fork of the project; p7zip-project · GitHub

as aforementioned this package is simply inherited by manjaro from arch repos. however arch package maintainer will only able release a fresh version when such is released by the original project, in this case the fork of the project.

luckily this has been raised as a issue in the forked project by someone yesterday; Is p7zip affected by remote code execution security vulnerabilities of "normal" 7zip? · Issue #224 · p7zip-project/p7zip · GitHub

so hopefully we’ll get a fresh release, and after a fresh update from arch repos, soon.

I was not aware, that Arch packages are used directly in Manjaro. I thought, there was some re-compilation or something. Thanks for this and all the other information! So, I conclude, going back to p7zip will not be affected by the mentioned CVEs?

It will be affected as long as those CVE’s are unaddressed.
arch-audit is a nifty tool for such things.

Just to clear up possible ambiguity between 7zip versions.

From the p7zip-project: “p7zip - A new p7zip fork with additional codecs and improvements (forked from sourceforge_net/projects/sevenzip/ AND sourceforge_net/projects/p7zip/)”.

So, there are three separate code bases - only one is maintained by Igor Pavlov, in as far as I can determine. Without more research it’s difficult to say that they are all affected by the afore-mentioned CVE’s, but it would probably be a safe guess to presume they are.

There was some news about this, but looking at their site, 7-zip downloads shows 23.01 was out in June.

There’s now a full 7-zip-full package in AUR which will pull it down and uninstal the conflicting p7zip if you install via pamac.

@Ben This is the package I used several months ago to solve unrelated compatibility issues - 7-zip-full should be the package of choice going forward (imho) - though it will probably take a while for individual package maintainers using p7zip as a dependency to catch on, or overcome their apathy.