p7zip 16.02: Fix CVE-2022-47069

Upstream Repository: https://sourceforge.net/projects/p7zip/

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
Type: Security Fix
CVE: CVE-2022-47069
Score: 7.8

Note:
- Commit [1] updates complete p7zip archive source for v17 and includes changes
that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
- Similar changes via [2] have been integrated into the upstream 7zip package,
which replaced p7zip 16.02 in OE-Core master.
For the testing:
- Verified fix using steps mentioned at [3], trace not observed.
- Validated against known malicious ZIP samples [3]

References:
[1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
[2] https://github.com/ip7z/7zip/commit/f19f813537c7
[3] https://sourceforge.net/p/p7zip/bugs/241/
[4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069

Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch

@@ -0,0 +1,63 @@
+From 633f61e2eaf6530cf7e53c702c06de1b7a840fa7 Mon Sep 17 00:00:00 2001
+From: Vrushti Dabhi <vdabhi@cisco.com>
+Date: Thu, 27 Nov 2025 01:36:55 -0800
+Subject: [PATCH] Fix out-of-bounds read in ZIP archive processing
+ (CVE-2022-47069)
+
+Add bounds checking and replace unsafe pointer arithmetic with index-based
+access in FindCd() to prevent out-of-bounds read when processing malformed
+ZIP archives.
+
+Testing:
+- Verified fix using steps mentioned at [1], trace not observed.
+- Validated against known malicious ZIP samples [1]
+- Changes merged in upstream p7zip via [2]
+
+CVE: CVE-2022-47069
+Upstream-Status: Pending
+
+References:
+[1] https://sourceforge.net/p/p7zip/bugs/241/
+[2] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
+[3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
+
+Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
+---
+ CPP/7zip/Archive/Zip/ZipIn.cpp | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/CPP/7zip/Archive/Zip/ZipIn.cpp b/CPP/7zip/Archive/Zip/ZipIn.cpp
+index c71c40f..84213b4 100644
+--- a/CPP/7zip/Archive/Zip/ZipIn.cpp
++++ b/CPP/7zip/Archive/Zip/ZipIn.cpp
+@@ -1095,11 +1095,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
+     
+     if (i >= kEcd64Locator_Size)
+     {
+-      const Byte *locatorPtr = buf + i - kEcd64Locator_Size;
+-      if (Get32(locatorPtr) == NSignature::kEcd64Locator)
++      const size_t locatorIndex = i - kEcd64Locator_Size;
++      if (Get32(buf + locatorIndex) == NSignature::kEcd64Locator)
+       {
+         CLocator locator;
+-        locator.Parse(locatorPtr + 4);
++        locator.Parse(buf + locatorIndex + 4);
+         if ((cdInfo.ThisDisk == locator.NumDisks - 1 || cdInfo.ThisDisk == 0xFFFF)
+             && locator.Ecd64Disk < locator.NumDisks)
+         {
+@@ -1110,9 +1110,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
+           // we try relative backward reading.
+ 
+           UInt64 absEcd64 = endPos - bufSize + i - (kEcd64Locator_Size + kEcd64_FullSize);
++
++          if (locatorIndex >= kEcd64_FullSize)
+           if (checkOffsetMode || absEcd64 == locator.Ecd64Offset)
+           {
+-            const Byte *ecd64 = locatorPtr - kEcd64_FullSize;
++            const Byte *ecd64 = buf + locatorIndex - kEcd64_FullSize;
+             if (Get32(ecd64) == NSignature::kEcd64)
+             {
+               UInt64 mainEcd64Size = Get64(ecd64 + 4);
+-- 
+2.35.6
+

meta-oe/recipes-extended/p7zip/p7zip_16.02.bb

@@ -13,6 +13,7 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al
            file://CVE-2018-5996.patch \
            file://CVE-2016-9296.patch \
            file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \
+           file://CVE-2022-47069.patch \
            "
 
 SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf"