[meta-openembedded,Scarthgap] p7zip 16.02: Fix CVE-2022-47069

From: Vrushti Dabhi <vdabhi@cisco.com>

Upstream Repository: https://sourceforge.net/projects/p7zip/

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
Type: Security Fix
CVE: CVE-2022-47069
Score: 7.8

Note:
- Commit [1] updates complete p7zip archive source for v17 and includes changes
that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
- Similar changes via [2] have been integrated into the upstream 7zip package,
which replaced p7zip 16.02 in OE-Core master.
For the testing:
- Verified fix using steps mentioned at [3], trace not observed.
- Validated against known malicious ZIP samples [3]

References:
[1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
[2] https://github.com/ip7z/7zip/commit/f19f813537c7
[3] https://sourceforge.net/p/p7zip/bugs/241/
[4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069

Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
---
 .../p7zip/files/CVE-2022-47069.patch          | 63 +++++++++++++++++++
 meta-oe/recipes-extended/p7zip/p7zip_16.02.bb |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch

Anuj,

Do you see showstopper issues with this patch? Or did it just fell
through the cracks accidentally?

On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE
LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Vrushti Dabhi <vdabhi@cisco.com>
>
> Upstream Repository: https://sourceforge.net/projects/p7zip/
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
> Type: Security Fix
> CVE: CVE-2022-47069
> Score: 7.8
>
> Note:
> - Commit [1] updates complete p7zip archive source for v17 and includes changes
> that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
> - Similar changes via [2] have been integrated into the upstream 7zip package,
> which replaced p7zip 16.02 in OE-Core master.
> For the testing:
> - Verified fix using steps mentioned at [3], trace not observed.
> - Validated against known malicious ZIP samples [3]
>
> References:
> [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
> [2] https://github.com/ip7z/7zip/commit/f19f813537c7
> [3] https://sourceforge.net/p/p7zip/bugs/241/
> [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
>
> Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
> ---
>  .../p7zip/files/CVE-2022-47069.patch          | 63 +++++++++++++++++++
>  meta-oe/recipes-extended/p7zip/p7zip_16.02.bb |  1 +
>  2 files changed, 64 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
>
> diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
> new file mode 100644
> index 0000000000..586c0e82dc
> --- /dev/null
> +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
> @@ -0,0 +1,63 @@
> +From 633f61e2eaf6530cf7e53c702c06de1b7a840fa7 Mon Sep 17 00:00:00 2001
> +From: Vrushti Dabhi <vdabhi@cisco.com>
> +Date: Thu, 27 Nov 2025 01:36:55 -0800
> +Subject: [PATCH] Fix out-of-bounds read in ZIP archive processing
> + (CVE-2022-47069)
> +
> +Add bounds checking and replace unsafe pointer arithmetic with index-based
> +access in FindCd() to prevent out-of-bounds read when processing malformed
> +ZIP archives.
> +
> +Testing:
> +- Verified fix using steps mentioned at [1], trace not observed.
> +- Validated against known malicious ZIP samples [1]
> +- Changes merged in upstream p7zip via [2]
> +
> +CVE: CVE-2022-47069
> +Upstream-Status: Pending
> +
> +References:
> +[1] https://sourceforge.net/p/p7zip/bugs/241/
> +[2] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
> +[3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
> +
> +Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
> +---
> + CPP/7zip/Archive/Zip/ZipIn.cpp | 10 ++++++----
> + 1 file changed, 6 insertions(+), 4 deletions(-)
> +
> +diff --git a/CPP/7zip/Archive/Zip/ZipIn.cpp b/CPP/7zip/Archive/Zip/ZipIn.cpp
> +index c71c40f..84213b4 100644
> +--- a/CPP/7zip/Archive/Zip/ZipIn.cpp
> ++++ b/CPP/7zip/Archive/Zip/ZipIn.cpp
> +@@ -1095,11 +1095,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
> +     
> +     if (i >= kEcd64Locator_Size)
> +     {
> +-      const Byte *locatorPtr = buf + i - kEcd64Locator_Size;
> +-      if (Get32(locatorPtr) == NSignature::kEcd64Locator)
> ++      const size_t locatorIndex = i - kEcd64Locator_Size;
> ++      if (Get32(buf + locatorIndex) == NSignature::kEcd64Locator)
> +       {
> +         CLocator locator;
> +-        locator.Parse(locatorPtr + 4);
> ++        locator.Parse(buf + locatorIndex + 4);
> +         if ((cdInfo.ThisDisk == locator.NumDisks - 1 || cdInfo.ThisDisk == 0xFFFF)
> +             && locator.Ecd64Disk < locator.NumDisks)
> +         {
> +@@ -1110,9 +1110,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
> +           // we try relative backward reading.
> + 
> +           UInt64 absEcd64 = endPos - bufSize + i - (kEcd64Locator_Size + kEcd64_FullSize);
> ++
> ++          if (locatorIndex >= kEcd64_FullSize)
> +           if (checkOffsetMode || absEcd64 == locator.Ecd64Offset)
> +           {
> +-            const Byte *ecd64 = locatorPtr - kEcd64_FullSize;
> ++            const Byte *ecd64 = buf + locatorIndex - kEcd64_FullSize;
> +             if (Get32(ecd64) == NSignature::kEcd64)
> +             {
> +               UInt64 mainEcd64Size = Get64(ecd64 + 4);
> +-- 
> +2.35.6
> +
> diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
> index 31a12fdb04..3ac0ed03cd 100644
> --- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
> +++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
> @@ -13,6 +13,7 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al
>             file://CVE-2018-5996.patch \
>             file://CVE-2016-9296.patch \
>             file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \
> +           file://CVE-2022-47069.patch \
>             "
>  
>  SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#122584): https://lists.openembedded.org/g/openembedded-devel/message/122584
> Mute This Topic: https://lists.openembedded.org/mt/116727783/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hi,

On Mon, Dec 22, 2025 at 11:53 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> Anuj,
>
> Do you see showstopper issues with this patch? Or did it just fell
> through the cracks accidentally?

Sorry, I did have questions on this patch so didn't include it but
forgot to respond. Thank you for reminding.

>
> On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE
> LIMITED at Cisco) via lists.openembedded.org wrote:
> > From: Vrushti Dabhi <vdabhi@cisco.com>
> >
> > Upstream Repository: https://sourceforge.net/projects/p7zip/
> >
> > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
> > Type: Security Fix
> > CVE: CVE-2022-47069
> > Score: 7.8
> >
> > Note:
> > - Commit [1] updates complete p7zip archive source for v17 and includes changes
> > that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
> > - Similar changes via [2] have been integrated into the upstream 7zip package,
> > which replaced p7zip 16.02 in OE-Core master.
> > For the testing:
> > - Verified fix using steps mentioned at [3], trace not observed.
> > - Validated against known malicious ZIP samples [3]
> >
> > References:
> > [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
> > [2] https://github.com/ip7z/7zip/commit/f19f813537c7
> > [3] https://sourceforge.net/p/p7zip/bugs/241/
> > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069

It looks like the patch attached in this bug is different from the
changes below. It's not clear to me how the fix was derived from [1]
and [2] and how is [4] relevant.

Thanks,

Anuj

Hi Anuj,

As per p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116<https://sourceforge.net/p/p7zip/bugs/241/> ([3]) the trace points to FindCd() and the proposed patch for the same was mentioned in 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: CVE-2022-47069: p7zip: Heap buffer overflow in ZipIn.cpp<https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069> ([4])
- git history of p7zip has no individual commit that has fixes this CVE, but the changes mentioned in proposed patch are part of the latest version via commit update zip archive file · p7zip-project/p7zip@d7a903f<https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2>([1])
- Compared the source code and tried adding similar changes as the proposed patch.
- The proposed patch in 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: CVE-2022-47069: p7zip: Heap buffer overflow in ZipIn.cpp<https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069> ([4]) has incomplete changes, therefore modified source code with the additional required changes.
- With the added changes also confirmed that, there is no trace observed as mentioned in bug p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116<https://sourceforge.net/p/p7zip/bugs/241/> ([3])

Regards,
Vrushti
________________________________
From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> on behalf of Anuj Mittal via lists.openembedded.org <anuj.mittal=oss.qualcomm.com@lists.openembedded.org>
Sent: Tuesday, December 23, 2025 5:22 AM
To: Gyorgy Sarvari <skandigraun@gmail.com>
Cc: Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE LIMITED at Cisco) <vdabhi@cisco.com>; openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe] [meta-openembedded] [Scarthgap] [PATCH] p7zip 16.02: Fix CVE-2022-47069

Hi,

On Mon, Dec 22, 2025 at 11:53 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> Anuj,
>
> Do you see showstopper issues with this patch? Or did it just fell
> through the cracks accidentally?

Sorry, I did have questions on this patch so didn't include it but
forgot to respond. Thank you for reminding.

>
> On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE
> LIMITED at Cisco) via lists.openembedded.org wrote:
> > From: Vrushti Dabhi <vdabhi@cisco.com>
> >
> > Upstream Repository: https://sourceforge.net/projects/p7zip/
> >
> > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
> > Type: Security Fix
> > CVE: CVE-2022-47069
> > Score: 7.8
> >
> > Note:
> > - Commit [1] updates complete p7zip archive source for v17 and includes changes
> > that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
> > - Similar changes via [2] have been integrated into the upstream 7zip package,
> > which replaced p7zip 16.02 in OE-Core master.
> > For the testing:
> > - Verified fix using steps mentioned at [3], trace not observed.
> > - Validated against known malicious ZIP samples [3]
> >
> > References:
> > [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
> > [2] https://github.com/ip7z/7zip/commit/f19f813537c7
> > [3] https://sourceforge.net/p/p7zip/bugs/241/
> > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069

It looks like the patch attached in this bug is different from the
changes below. It's not clear to me how the fix was derived from [1]
and [2] and how is [4] relevant.

Thanks,

Anuj

On Tue, Dec 23, 2025 at 4:40 PM Vrushti Dabhi -X (vdabhi - E INFOCHIPS
PRIVATE LIMITED at Cisco) <vdabhi@cisco.com> wrote:
>
> Hi Anuj,
>
> As per p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116 ([3]) the trace points to FindCd() and the proposed patch for the same was mentioned in 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: CVE-2022-47069: p7zip: Heap buffer overflow in ZipIn.cpp ([4])
> - git history of p7zip has no individual commit that has fixes this CVE, but the changes mentioned in proposed patch are part of the latest version via commit update zip archive file · p7zip-project/p7zip@d7a903f([1])
> - Compared the source code and tried adding similar changes as the proposed patch.
> - The proposed patch in 1209648 – (CVE-2022-47069, CVE-2023-1576) VUL-0: CVE-2022-47069: p7zip: Heap buffer overflow in ZipIn.cpp ([4]) has incomplete changes, therefore modified source code with the additional required changes.

Thank you for explaining. The patch that was finally applied for that
bug is here: https://build.opensuse.org/projects/SUSE:SLE-15-SP6:Update/packages/p7zip/files/CVE-2023-1576.patch?expand=1

I will take the change in next series.



> - With the added changes also confirmed that, there is no trace observed as mentioned in bug p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116 ([3])
>
> Regards,
> Vrushti
> ________________________________
> From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> on behalf of Anuj Mittal via lists.openembedded.org <anuj.mittal=oss.qualcomm.com@lists.openembedded.org>
> Sent: Tuesday, December 23, 2025 5:22 AM
> To: Gyorgy Sarvari <skandigraun@gmail.com>
> Cc: Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE LIMITED at Cisco) <vdabhi@cisco.com>; openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>
> Subject: Re: [oe] [meta-openembedded] [Scarthgap] [PATCH] p7zip 16.02: Fix CVE-2022-47069
>
> Hi,
>
> On Mon, Dec 22, 2025 at 11:53 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
> >
> > Anuj,
> >
> > Do you see showstopper issues with this patch? Or did it just fell
> > through the cracks accidentally?
>
> Sorry, I did have questions on this patch so didn't include it but
> forgot to respond. Thank you for reminding.
>
> >
> > On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE
> > LIMITED at Cisco) via lists.openembedded.org wrote:
> > > From: Vrushti Dabhi <vdabhi@cisco.com>
> > >
> > > Upstream Repository: https://sourceforge.net/projects/p7zip/
> > >
> > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
> > > Type: Security Fix
> > > CVE: CVE-2022-47069
> > > Score: 7.8
> > >
> > > Note:
> > > - Commit [1] updates complete p7zip archive source for v17 and includes changes
> > > that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
> > > - Similar changes via [2] have been integrated into the upstream 7zip package,
> > > which replaced p7zip 16.02 in OE-Core master.
> > > For the testing:
> > > - Verified fix using steps mentioned at [3], trace not observed.
> > > - Validated against known malicious ZIP samples [3]
> > >
> > > References:
> > > [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
> > > [2] https://github.com/ip7z/7zip/commit/f19f813537c7
> > > [3] https://sourceforge.net/p/p7zip/bugs/241/
> > > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
>
> It looks like the patch attached in this bug is different from the
> changes below. It's not clear to me how the fix was derived from [1]
> and [2] and how is [4] relevant.
>
> Thanks,
>
> Anuj