[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HFS+ specific vulnerability

Brian May <bam@debian.org> writes:

> Will continue to check the code to make sure.

Actually looks like the vulnerable HFS+ is not present in the wheezy
version p7zip. In this version CPP/7zip/Archive/Hfs/HfsHandler.cpp is
only 243 lines, the exploit is in a function that doesn't exist on lines
1496 to 1575.

For the UDF case the code is a bit different, but it looks like it is
all there. So possibly might be worth fixing this.

I think there would need to be some code to disable the UDF code if it
isn't a UDF file system. Even if just for compression not
decompression. Still looking for this however.
Brian May <bam@debian.org>

Reply to: