I had a quick look at the p7zip package on broken.sh and noticed that it contains two possible RCE vulnerabilities: CVE-2018-5996 and CVE-2018-10115, the latter being unlisted on broken.sh but mentioned in p7zip forums and basically confirmed on the german IT news site heise.de. The last upstream update is from 2016, version 16.02 while their upstream (it’s just a port of 7zip) is at version 19.00.
The forum is somewhat silent and one of the last discussions is from 2019 and is about the development model of 7zip and p7zip, where the developer of 7zip chimed in and said that the developer for p7zip appears to be missing: p7zip / Discussion / Open Discussion: 7zip and p7zip collaboration
In my opinion this means the project is effectively dead and we will essentially have to support it ourselves.
I would suggest to mark it as insecure and try to get rid of it… but it’s used by a bunch lot of other packages. While some are probably not a real issue (like rarcrack), others like unetbootin and kde/ark or playonlinux and wine will probably hurt persons that e.g. are using desktops on NixOS.
Even debian seems to be just carrying unofficial patches found on the forums or on random internet pages. Their security tracker claims that they are not vulnerable, though I cannot find any patch for that, but it could just mean that the vulnerable part is not included in their package due to unfree licensing of the affected RAR support? I’m not sure about that.
So what do we do about this issue? Ignoring it sounds like a bad plan. Do we try to get rid of p7zip? Try to track Debian? Or do we hope to keep up with that ourselves?
I’d suggest to mark it as insecure for the reasons above, at least until there’s a somewhat canonical place to obtain patches from.
Probably some of the packages referring to p7zip can fall back to use other decompression tools - I’d expect people to step up and fix things if they care about it - this is similar to how we did with unsupported SSL versions.
Thank you for noticing this. I just got notified of p7zips insecurity when updating. Do you happen to know any alternatives for direct command line usage? My use-case is mostly “aint nobody got time to remember tar flags” and the nice thing about p7zip is that it can unpack just about everything without any arcane flags.
On the command line I personally use bsdtar from libarchive. bsdtar xf <file> will extract all sorts of formats and it detects them based on file content so it still works when using - for piping, no extra z or J or something.
I recommend arc(1), in the archiver package, for general use; it’s written in a memory safe language and supports a wide variety of formats, but unfortunately not .7z. unar supports .7z; I think it might be the only non-deprecated free software package in nixpkgs that does, though I haven’t performed an exhaustive search.
I think it would be a good idea to recommend alternatives in the nixpkgs warning.