p7zip & p7zip-rar EOL or transition

Metadata

• package: p7zip, p7zip-rar
• releases: stretch buster bullseye bookworm

Current State

• Dead upstream since v16.02 (2016) https://sourceforge.net/projects/p7zip/files/
• Removed from sid/forky
• Transitional packages to 7zip since trixie https://tracker.debian.org/pkg/p7zip https://tracker.debian.org/pkg/p7zip-rar
• (bookworm has both p7zip and 7zip; <=bullseye only has p7zip)
• Replaced by native Linux support in main 7-zip project https://tracker.debian.org/pkg/7zip https://tracker.debian.org/pkg/7zip-rar

Obstacles Preventing Continued Support

• Dead upstream for p7zip
• Old 7-zip code base
• The main 7-zip project imports new releases in Git but does not provide any history nor CVE information, making it difficult to isolate patches and apply them to older p7zip code base. https://github.com/ip7z/7zip/commits/main/
• There are 5 open vulnerabilities
  • for 2 of them I believe we can pinpoint the patches (from the reporter details for CVE-2023-52168, and from the short-ish 25.01 patch for CVE-2025-55188);
  • for CVE-2025-11001/CVE-2025-11002 the fixes are lost in the 400kB 24.09->25.00 diff https://github.com/ip7z/7zip/commit/395149956d696e6e3099d8b76d797437f94a6942 and AFAICS nobody was able to isolate them;
  • CVE-2025-53816 is more-or-less locatable in the above diff (rar handler) but the version gap makes it difficult to know if p7zip is truly affected https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109494#24

Alternative Courses of Action

• Upstream backport: not possible as p7zip upstream is dead

• Mimic trixie in all dists:

  • Transitional package to 7zip (and 7zip-rar)
  • Upstream backport of 7zip in bookworm to fix open vulnerabilities
  • Introduce new package 7zip in <=bullseye; 7zip has no build-dependencies so should be easily backportable (at first glance) [EDIT: newer 7zip depends on asmc-linux for amd64 assembly code, though this seems optional]
  • Introduce new package 7zip-rar in <=bookworm

• Overwrite p7zip with a newer 7zip + minimal patches (discussion)

  • mimic p7zip version output
  • handle the p7zip-specific -l option

• Switch to a different p7zip fork e.g. https://github.com/p7zip-project/p7zip

Potential Impacts

Impacts of taking no action

Open vulnerabilities: directory traversal, memory corruption in RAR and NTFS handlers. Those were marked <no-dsa> (Minor issue) by the security team so far.

Impacts of full EOL

• Archive formats need to be handled by other packages (unar, zip, unrar-free, etc.),
• Or, extracted archives need to be trusted
• Or, proper isolation is required before manipulating untrusted archives.

Impacts of alternative course(s) of action

• Mimic trixie in all dists:

  • Fully maintain 7zip/7zip-rar in all dists
  • Continue importing new 7zip upstream releases
  • Non-trivial backport as new 7zip packages have ASM support, create a 7z.so, multiple binary packages, etc.

• Overwrite p7zip with a newer 7zip + minimal patches:

  • Should have the least impact

• https://github.com/p7zip-project/p7zip stuck at v22 (upstream is v25)

Additional impacts

Archiver GUI depending on p7zip, for instance file-roller/engrampa, may need to be modified to use and depend on other packages (be it other packages or a newer 7z).

Examples for p7zip->7zip:

• debian-mate-team/engrampa@b7961f85
• qt-kde-team/kde/ark@14e48476

Reverse dependencies can be tricky to find: need to check both p7zip and p7zip-full, and follow Depends,Recommends,Suggests.

/cc @roberto @santiago