Not turning on standard mitigation techniques because of binary size is one of the strangest reasons I've heard. And then still programming in an unsafe language, quite self-confident for a "humble programmer".<p><a href="https://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340.html" rel="nofollow">https://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340...</a>
It has already taught us a few lessons, and the one I have chosen to stress in this talk is the following. We shall do a much better programming job, provided that we approach the task with a full appreciation of its tremendous difficulty, provided that we stick to modest and elegant programming languages, provided that we respect the intrinsic limitations of the human mind and approach the task as Very Humble Programmers.
Two comments:<p>The way its written, I first took the mention of finding this "during the analysis of a prominent antivirus product" to mean that you were reverse engineering some AV thing and found that it was scanning for this vulnerability (i.e., to protect against bad archives). After a second read, it seems like maybe not, and that the AV itself re-used parts of 7-zip for its own implementation and was therefore vulnerable itself. Still not sure, though.<p>The way the stylesheet makes the "rendered" form (especially section headings) resemble markdown source is pretty neat.
So I just tried to compile 7-Zip with VS2017 and /DYNAMICBASE. The main binary 7z.dll is 1,569,792 bytes in total, 9344 bytes (0.595%) of which are used by the relocation table. Enabling stack canaries (/GS) gives me a 1,578,496 byte binary (including the relocation table), so another 8704 bytes more.
Timeline with a sane date format:<p>2017-12-29 - Discovery<p>2017-12-29 - Report<p>2017-12-29 - MITRE assigned CVE-2017-17969<p>2018-01-10 - Patched version 7-Zip 18.00 released
Does the most recent version on the 7-Zip website, 18.00 beta, contain the patch? It's two weeks old.<p>7-Zip doesn't appear to contain an auto-updater or an "update me" button.
While this analysis was done for 7zip, I would imagine that pretty much every packaged implementation on any platform would have these issues, since most people do exactly the same thing - reuse the reference implementation.<p>Just checked keka on macOS, and it uses the p7zip code.
>If you use Shkarin’s PPMd implementation, I would strongly recommend you to harden it by adding out of bound checks wherever possible, and to make sure the basic model invariants always hold.<p>Sounds like a fun project.