From Newsgroup: comp.os.linux.advocacy
So older versions of 7-Zip were not sufficiently watchful when
extracting archives containing symlinks, and attackers could take
advantage of this to try to trick users into extracting an archive
that put files in unexpected places on their systems <
https://www.tomshardware.com/tech-industry/cyber-security/7-zip-flaws-open-door-to-remote-code-execution>.
The bug was fixed in version 25.00, released back in July. ItrCOs really
sad to have to keep reading things like this:
The lack of an automatic update mechanism compounds issues like
this. 7-Zip must be updated manually, and many users rely on older
portable versions. Even in enterprise settings, it often escapes
patch management systems because it isnrCOt installed via Windows
Installer or a central repository.
Those of us who *have* automatic update mechanisms ... we thumb our
noses at you!
Also:
ldo@theon:~> dpkg-query -l '*7z*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-====================-============-=================================================
ii 7zip 25.01+dfsg-2 amd64 7-Zip file archiver with a high compression ratio
...
--- Synchronet 3.21a-Linux NewsLink 1.2