CLD-426 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-10115 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) p7zip
Deficiency Type SECURITY
Date Created 2018-06-10 10:20:51
Date Last Modified 2018-06-10 10:57:38

Version Specific Information:

Cucumber 1.0 i686fixed in p7zip-16.02-i686-4
Cucumber 1.0 x86_64fixed in p7zip-16.02-x86_64-4

Cucumber 1.1 i686 fixed in p7zip-16.02-i686-4
Cucumber 1.1 x86_64 fixed in p7zip-16.02-x86_64-4


=================================== Overview ===================================

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before
can lead to usage of uninitialized memory, allowing remote attackers to cause a
denial of service (segmentation fault) or execute arbitrary code via a crafted
RAR archive. 

================================ Initial Report ================================


May 1, 2018
7-Zip: From Uninitialized Memory to Remote Code Execution

After my previous post on the 7-Zip bugs CVE-2017-17969 and CVE-2018-5996, I
continued to spend time on analyzing antivirus software. As it happens, I found
a new bug that (as the last two bugs) turned out to affect 7-Zip as well. Since
the antivirus vendor has not yet published a patch, I will add the name of the
affected product in an update to this post as soon as this happens.

UPDATE (2018-06-05): The antivirus vendor I was talking about was F-Secure.

See the full report at

================================= Our Analysis =================================

----- Affected Products -----
Versions of p7zip prior to 18.05 that have not had the "patch" from applied are vulnerable.
This includes p7zip as originally packaged in Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for arbitrary code execution when extracting a maliciously crafted RAR

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to p7zip 18.05 or later or by
applying the "patch" from Fortunately, the Arch
Linux project has provided a proper patch at

================================= Our Solution =================================

We have applied the patch from
and rebuilt p7zip.