There were some misunderstandings that I want to clear up (maybe I will add them in an update to the blog post):<p>1. Some people mentioned that this would "only affect RAR files" and it would be safe to extract 7z files with 7-Zip prior to version 18.05. This is wrong, because 7-Zip detects the file type from the magic numbers at the beginning of the file. So the exploit can be renamed to 'exploit.7z' and it works just as well.<p>On /r/sysadmin, someone even mentioned that a temporary solution might be to block RAR files. By the same argument, this is unlikely to be effective.<p>2. Almost all versions prior to 18.05 are affected. I manually checked version 15.05 and 17.01, and they are definitely affected.<p>3. Not only 7-Zip itself is affected, but essentially all software that uses 7z.dll as library to extract files. This includes various anti-virus software. However, exploitation may be more difficult (though not impossible) if ASLR&DEP is properly enabled (on all modules).
7-Zip needs to start a Go Fund Me or similar for a Code Signing certificate. They're like $69-89/year, which is expensive, but for such a popular piece of software it would be a nice safety net in case of site compromise.<p>Too bad none of the big CAs have an Open Source/Charity program that would provide a Authenticode Certificate for use with that software.
My guess: Because 7zip is not a good auto update software (does it even warn if there is a new version?) this security bug is HUGE!<p>Just give you an example: Many Germans think that <a href="http://www.7-zip.de/" rel="nofollow">http://www.7-zip.de/</a> is the official site and you still download 16.04 there.
Great, p7zip is also affected according to an earlier article [1] and the last version 16.02 is from 2016 [2]<p>This open source libraries are used everywhere :(<p>[1]: <a href="https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/" rel="nofollow">https://landave.io/2018/01/7-zip-multiple-memory-corruptions...</a><p>[2]: <a href="https://sourceforge.net/projects/p7zip/files/p7zip/" rel="nofollow">https://sourceforge.net/projects/p7zip/files/p7zip/</a>
Is there software running on Linux which is derived from the same source and is also vulnerable?<p>Is this package vulnerable:<p><a href="https://packages.debian.org/sid/p7zip-rar" rel="nofollow">https://packages.debian.org/sid/p7zip-rar</a><p><a href="https://packages.ubuntu.com/bionic/p7zip-rar" rel="nofollow">https://packages.ubuntu.com/bionic/p7zip-rar</a><p>?
I have always used 7-Zip on Windows. Having done some reading now, the author's general attitude towards the tradeoff between security and executable size/speed have convinced me to try and not use it in the future. Thankfully I rarely have to use Windows these days.
Hi all,
In 18.01 Igor had fixed CVE-2018-5996 with adding some variable like _errorMode or m_TablesOK.
And in 18.05 I don't see this variables. Igor was replace it by _solidAllowed to fix CVE-2018-10115. Does it fix for both CVE-2018-5996 and CVE-2018-10115?
Thank you
Nowadays when that sort of bug is discovered, the question that naturally comes to my mind is "would that have happened if the software were implemented in (safe) Rust"? In that case it looks like the answer is no.<p>Of course 7-zip is much older than Rust so that's just a thought experiment.