| Package | p7zip |
|---|---|
| Version | 16.02+really25.01+dfsg-0+deb9u1 (stretch), 16.02+really25.01+dfsg-0+deb10u1 (buster) |
| Related CVEs | CVE-2022-47069 CVE-2023-31102 CVE-2023-40481 CVE-2023-52168 CVE-2023-52169 CVE-2024-11612 CVE-2025-11001 CVE-2025-11002 CVE-2025-53817 CVE-2025-55188 |
Multiple vulnerabilities were discovered in p7zip, a now unmaintained fork of 7-Zip, a file archiver handling multiple formats.
To address these security vulnerabilities, whose fixes are unfortunately not isolated, this update replaces p7zip with 7-Zip v25 (which now supports GNU/Linux natively), slightly modified to make it reasonably compatible with p7zip.
-
CVE-2022-47069
heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd
-
CVE-2023-31102
Ppmd7.c allows an integer underflow and invalid read operation via a crafted 7Z archive.
-
CVE-2023-40481
SquashFS File Parsing Out-Of-Bounds Write RCE
-
CVE-2023-52168
heap-based buffer overflow in NTFS handler
-
CVE-2023-52169
out-of-bounds read in NTFS handler
-
CVE-2024-11612
CopyCoder Infinite Loop Denial-of-Service
-
CVE-2025-11001
ZIP File Parsing Directory Traversal RCE
-
CVE-2025-11002
ZIP File Parsing Directory Traversal RCE
-
CVE-2025-53817
null pointer dereference in the Compound handler may lead to denial of service
-
CVE-2025-55188
does not always properly handle symbolic links
For Debian 10 buster, these problems have been fixed in version 16.02+really25.01+dfsg-0+deb10u1.
For Debian 9 stretch, these problems have been fixed in version 16.02+really25.01+dfsg-0+deb9u1.
We recommend that you upgrade your p7zip packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.