Forum: >>> Magnum BBS <<<

Bug#1109494: 7zip: CVE-2025-53816 (rar)

From Salvatore Bonaccorso@21:1/5 to Sylvain Beucler on Sat Jul 19 15:00:01 2025

Hi

On Sat, Jul 19, 2025 at 12:15:37PM +0200, Sylvain Beucler wrote:

Hi,

Looking at https://securitylab.github.com/advisories/GHSL-2025-058_7-Zip/ it seems CVE-2025-53816 is affecting [p]7zip-rar.

The analyzed faulty code lies in CPP/7zip/Compress/Rar5Decoder.cpp which is excluded from [p]7zip (per debian/copyright).

The code is modified in 25.00 import: https://github.com/ip7z/7zip/commit/fc662341e6f85da78ada0e443f6116b978f79f22#diff-88a430830000a0af8a34f1f0839670eea79d7b201bad3e5662e97159075880cbR1905-R1906

The My_ZeroMemory logic appears to have been introduced in the 24.05 import: https://github.com/ip7z/7zip/commit/395149956d696e6e3099d8b76d797437f94a6942#diff-88a430830000a0af8a34f1f0839670eea79d7b201bad3e5662e97159075880cbL1905-R1941

Yes it looks I messed up things. I'm reassigning this bug for
CVE-2025-53816 only to 7zip-rar.

CVE-2025-53817 should be correct, but remains unimportant given only
beeing a crash in CLI tool.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	42:00:29
Calls:	12,109
Files:	15,006
Messages:	6,518,416