Hi On Sat, Jul 19, 2025 at 12:15:37PM +0200, Sylvain Beucler wrote: > Hi, > > Looking at https://securitylab.github.com/advisories/GHSL-2025-058_7-Zip/ it > seems CVE-2025-53816 is affecting [p]7zip-rar. > > The analyzed faulty code lies in CPP/7zip/Compress/Rar5Decoder.cpp which is > excluded from [p]7zip (per debian/copyright). > > The code is modified in 25.00 import: > https://github.com/ip7z/7zip/commit/fc662341e6f85da78ada0e443f6116b978f79f22#diff-88a430830000a0af8a34f1f0839670eea79d7b201bad3e5662e97159075880cbR1905-R1906 > > The My_ZeroMemory logic appears to have been introduced in the 24.05 import: > https://github.com/ip7z/7zip/commit/395149956d696e6e3099d8b76d797437f94a6942#diff-88a430830000a0af8a34f1f0839670eea79d7b201bad3e5662e97159075880cbL1905-R1941
Yes it looks I messed up things. I'm reassigning this bug for CVE-2025-53816 only to 7zip-rar. CVE-2025-53817 should be correct, but remains unimportant given only beeing a crash in CLI tool. Regards, Salvatore
