-
-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issues with p7zip #45397
Comments
Going forward we may want to consider dropping 7z in favor of better maintained compression libraries. |
There is an upstream 7zip from the author of the windows lib now, we could use that. It seems to be regularly updated. https://www.7-zip.org/download.html |
But 7zip is different from p7zip, no? |
From what I understand p7zip = posix7zip. And it's built on 7zip code, just old code. |
I've studied that issue to some extent, so here are my notes on the situation:
Using 7zip might be good, but I don't think it has guarantees to support all the platforms that julia does (freebsd, for example). My 20 cents of advice would be to migrate to the p7zip fork for security reasons, in the short term. PS: For p7zip, do you need a library or just the binary? |
OK, I knew that 7zip was Windows-only and as such not really practical for us. But I see now on the website that there are binaries for Linux and macOS, I missed the progress about this.
I think we currently use only the executable, although using a library for in-process work may not be a bad idea? Well, I wish using libraries was better than external executables, but libgit2 is a notable exception... |
@fxcoudert Would the one that homebrew ships address all the CVEs? If so, it may be best for us to shift to that for now, and figure out a better solution long term. |
That's the same fork mentioned in the original post as being used by NixOS, and Matt said that it addresses only some of the vulnerabilities. |
I just hadn't gone through all the CVEs and matched them against patches when I started this issue. Doing so now, it looks like the only one missing is the most recent CVE-2022-29072... but that's now officially flagged as disputed. Many reputable sources are saying it's invalid. E.g., in Tom's Hardware's update on the CVE:
|
CVE-2022-29072 is disputed, and it concerns the interaction between the 7zip windows executable and its help file. There is no such CHM file in p7zip, so it is even unclear at this stage if this potential vulnerability even affects p7zip. |
The only thing we currently use p7z for is gzip compression and decompression, which would, honestly be much easier to do with gzip itself than it is to coax p7z into doing it. It would probably be faster as well as more secure. We used to also use it to pack and unpack tarballs, but we use the |
Pkg is supposed to support more compression formats than gzip: https://github.com/JuliaLang/Pkg.jl/blob/40caa25ee7821a03681a4f4d8ef74b40d90fa366/src/PlatformEngines.jl#L475 and it'd be nice to use more efficient compression formats for some artifacts. |
I think this is closed by #45435 |
p7zip has some active CVEs. I see we’re already carrying some of the patches for p7zip:
But I think we need patches for
CVE-2022-29072The upstream p7zip project seems to be fairly abandoned, with lots of conflicting information about the latest release. There is a fork of p7zip carries (at least some) of those patches. NixOS has switched to that fork: NixOS/nixpkgs#88147
The text was updated successfully, but these errors were encountered: