that latest patch will be released in debian security updates channels shortly.
after discussions with the original researcher, the following minimal patch should now be sufficient. i unfortunately could not get access to the proof of concept either, so this is only validated by the original researcher.
Sérgio you've deleted your patch? Any of you has a Shrink zip created file to test this patch on a fixed build? I wish I did as well. I asked the original researcher for a reproducer yesterday, still no news. In the meantime, I have an updated patch which compiles correctly and doesn't seem to cause regression in the normal non-shrink code paths in my summary tests, attached. For what it's worth, upstream 7zip version 18 has a large diff: 454 files changed, 19621 insertions(+), 9865 deletions(-)...
i reviewed the code in 18.00-beta and it seems reasonsable. i worked on a simple patch for this, attached, for review.
Claim package linkchecker