Arch Linux Security Advisory ASA-201806-6 ========================================= Severity: Critical Date : 2018-06-09 CVE-ID : CVE-2018-10115 Package : p7zip Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-714 Summary ======= The package p7zip before version 16.02-5 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 16.02-5. # pacman -Syu "p7zip>=16.02-5" The problem has been fixed upstream in version 18.05. Workaround ========== None. Description =========== An uninitialized memory security issue has been found in the RAR decoder component of 7-Zip before 18.05, resulting in arbitrary code execution. Impact ====== A remote attacker can execute arbitrary code via a crafted RAR file. References ========== https://bugs.archlinux.org/task/58907 https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/ https://landave.io/files/patch_7zip_CVE-2018-10115.txt https://security.archlinux.org/CVE-2018-10115