New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
p7zip: fix two CVEs and mark as insecure #86417
Conversation
@GrahamcOfBorg build p7zip |
Removed from flatpak-builder in d74e044 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/p7zip-and-possible-rces/6951/4 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/p7zip-and-possible-rces/6951/5 |
knownVulnerabilities = [ | ||
# p7zip is abandoned, according to this thread on its forums: | ||
# https://sourceforge.net/p/p7zip/discussion/383043/thread/fa143cf2/#1817 | ||
"p7zip is abandoned and may not receive important security fixes" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any known
security vulnerabilities though right now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not as far as I'm aware.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Motivation for this change
This fixes the two CVEs mentioned in the commit (patches taken from Debian).
Additionally, the p7zip-project is a port of 7zip. 7zip appears alive and well, but p7zip has not seen any development since 2016 and no bugfixes or even security fixes are being released.
As discussed in https://discourse.nixos.org/t/p7zip-and-possible-rces/6951, carrying an abandoned project is a risk, so I'm marking the package as unsafe.
p7zip is used by about 35 other packages, so this will lead to issues in other packages. The following is a list of other affected nix files:
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)