Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools

mask.of.sanity quotes a report from The Register: Some of the world's biggest security and software vendors will be rushing to patch holes in implementations of the popular 7-Zip compression tool to stop attackers gaining full control of customer machines. Marcin Noga, Cisco security researcher, found and reported the holes to the platform, which could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users. FireEye and MalwareBytes are two of many products that use 7-Zip. "An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files ... [which] can be triggered by any entry that contains a malformed Long Allocation Descriptor," Colleague of The Register Jaeson Schultz said. The flaws were fixed in 7-Zip 16.00, which was released Tuesday.

Re:Big pile of mess to clean up

[110010001000]

"catched it"? Your spell checker should have caught that one.

Stable?

[sims+2]

I'm glad to see its finally out of beta.

Re:Stable?

There were two stable releases last year, but it was easy to miss them considering the previous stable release had been in 2010.

Re: Big pile of mess to clean up

[LoRdTAW]

I think you meant language debugger.

Re: Big pile of mess to clean up

[viperidaenz]

Or Parsey McParseface

DANGEROUS?

You mean... it's killed children!?

Open Source And Would Not Be Here

This is why millions of eyes on code is a solid requirement for any software. It IS the undisputed truth.

Re:Open Source And Would Not Be Here

[malditaenvidia]

It also ensures these vulnerabilities will be fixed. I wonder how many undisclosed holes winZIP and winRAR have.

Re:Open Source And Would Not Be Here

[CoderJoe]

How long has OpenSSL been open source and had major vulnerabilities before they were found?

Re:Open Source And Would Not Be Here

you mean this source code?

https://sourceforge.net/projects/sevenzip/files/7-Zip/16.00/7z1600-src.7z/download

Re:Open Source And Would Not Be Here

[Jawnn]

How long has OpenSSL been open source and had major vulnerabilities before they were found?

A pretty long time. What is your point? Surely you are not arguing that those flaws would have been found sooner if it had been closed source. That would just be stupid.

"user permissions" != "full control"

[gweihir]

Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control".

Re:"user permissions" != "full control"

Except Linux has permission escalation bugs that can turn user permissions into root permissions, and those bugs are not given very high priority.

Re:"user permissions" != "full control"

rm -rf $HOME/*

Re:"user permissions" != "full control"

[aberglas]

The myth of root is just that. The days of lots of people sharing the one client computer are long gone. For PCs, most of the good stuff is accessible in user mode. All the documents, email etc.

Re:"user permissions" != "full control"

[johannesg]

What "sound design practices" would those be? As far as I can tell, the choice is still either full denial (resulting in not being able to use the software), or the keys to the kingdom (based on whether you trust that the developer is kosher and his website has not been compromised). There is no middle ground - "install this, but keep it locked in a sandbox".

And Linux is just as bad. So what if the OS protects itself from the users? The OS has literally zero value; if it gets wiped, it's 30 minutes work to rebuild it from scratch, less if you made an image. It's the _data_ that is on the machine, completely unprotected by all those clever permission schemes, that will be lost if any compromised software is allowed to run. If you run "rm -rf /", you remove precisely all the files anyone cares about.

The Linux permission schema was designed when computers were hulking beasts that shared limited resources between many users that needed protection from each other. We then moved through personal (i.e. single user) computers where such protection is of limited use, to today's practice of having each application running in a container - providing data protection in the form of a kind of meta-OS, since the main OS is clearly just not capable enough.

The whole thing, whether in Windows or in Linux, is just one big clusterfuck of endless wasted effort solving entirely the wrong problem.

Re:"user permissions" != "full control"

[gweihir]

You may have a lot of access and control as user, but not "full control".

Re:"user permissions" != "full control"

[gweihir]

My take is more that the problem is people not understanding the permission system. Used right, it works pretty well. The whole container-thing comes from people not understanding how to isolate things using the classical UNIX model (and software distributed as binary, of course). Incidentally, containers make you _less_ secure against a competent attacker as they add additional ways to compromise the system and disregard KISS, while pretending otherwise.
 

Re:"user permissions" != "full control"

except for, of course, the 10's of thousands of companies that run more than one shift, and aren't total IT losers like our parent poster. Hell even Windoqs users have figured out how to copy their profiles and desktop settings to multiple machines.
buy a clue.

Re:"user permissions" != "full control"

You may have a lot of access and control as user, but not "full control".

How about "full control of anything of importance"?

Re:"user permissions" != "full control"

[fuzzyfuzzyfungus]

I suspect that part of the concern is that 7zip is sometimes found in program installers, which typically do run with elevated permissions. Those are also the places where obsolete versions are probably going to remain embedded forever unless the vendor cares atypically much about fixing them.

It'll be harder to trick an installer to chew on a suitably malformed file, compared to a user just using 7zip; but if you can manage it, you get a nice, handy, elevated context.

Re:"user permissions" != "full control"

No one's responded with "obligatory xkcd" yet?

Re:"user permissions" != "full control"

https://xkcd.com/1200/

Re:"user permissions" != "full control"

[Insightfill]

Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control".

I haven't had "full control" of my Windows computer in a while. Maybe I can use this 7zip vulnerability to get something back from this beast of Windows 10.

Re:"user permissions" != "full control"

Those who do not understand unix are doomed to reimplement it poorly. On what planet do you "have each application running in a container"? Go to any datacenter and bring up a root console, you'll see everything running under different user ids, sharing the resources on the machine. Like it's supposed to.

Re:"user permissions" != "full control"

So how does your imaginary permission system protect my documents from a virus that came in through a 7-Zip zero day and that is currently running under the exact same user account as 7-Zip and my word processor, i.e. mine?

Re:"user permissions" != "full control"

There are 'application firewall' systems where specific applications are allowed to access specific areas and types of data and others are not, irrespective of the user account. For instance an installer that tries to root around in a folder full of documents might be not kosher.

Re:"user permissions" != "full control"

The myth of root is just that. The days of lots of people sharing the one client computer are long gone. For PCs, most of the good stuff is accessible in user mode. All the documents, email etc.

True, though things like installing software, changing settings, taking over keyboard control, etc. are still restricted to "admin-level" access. Things like file system snapshots and write access to backups (e.g., Time Machine) is also not accessible to "regular-level" accounts.

So yes, information (documents, e-mails) can be gained via the user's "normal" day-to-day account, but if that account does not have "admin-level" access, then recovering / restoring things can be a lot easier if you don't have to start from bare-metal. For example, we were hit with some kind of ransowmare at work on a particular file server share that had a lot of stuff (tens of TB). It was no big deal though because we had daily snapshots running for that area, and simply restored things in relatively short order.*

By using a non-privileged account, users can limit damage and restore quickly. (Of course many attacks take a remote attack and then leverage a local-only exploit, but by not using an admin-level account it's one more hoop to jump through.)

* Which when I hear about (say) organizations being hit, I wonder: why don't they just restore from (read-only) snapshots or backups? Sure the desktops can be hosed, but those can simply be re-imaged. And if your data is on a file server, why wouldn't you be using snapshots (in addition to backups)?

Re:"user permissions" != "full control"

[tlhIngan]

Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control"./blockquotes.

Depends on the process.

An antivirus/malware scanner may very well run with elevated privileges since it needs to be able to scan files the user doesn't have direct access to. Thus, it's possible that a carefully crafted 7z file can be used to run code in an elevated mode...

Re:"user permissions" != "full control"

[gweihir]

Which nicely illustrates my point: You do not understand what a permission system is for, as that is not its task.

Re:"user permissions" != "full control"

[Tapewolf]

And Linux is just as bad. So what if the OS protects itself from the users? The OS has literally zero value; if it gets wiped, it's 30 minutes work to rebuild it from scratch, less if you made an image. It's the _data_ that is on the machine, completely unprotected by all those clever permission schemes, that will be lost if any compromised software is allowed to run. If you run "rm -rf /", you remove precisely all the files anyone cares about.

Depends what you're trying to do. If the aim is destroy the user's data, hold it hostage or sift through it for credentials or other useful info, yes, you're screwed.

But you can't spam email or run a phishing server on a standard port because opening a listener on any port below 1024 requires root. Installing system-level malware requires root. You could set up some kind of user-level autorun but the implementation will likely depend on the shell they're using, Unity, Gnome, KDE, XFCE.

Re:"user permissions" != "full control"

I have no directories in my $HOME, you insensitive clod.

Re:"user permissions" != "full control"

[gweihir]

Not even that and by a far cry. Maybe "full control of what the clueless user thinks is important".

Re:"user permissions" != "full control"

[gweihir]

I might add that preventing things a user starts from destroying all that user's data is not actually a task of the permission system.

The correct fix for 7z is to fix the vulnerability. As 7z must be able to read and write arbitrary files to do its job, there is _nothing_ the permission system can do, not even MAC like SELinux would help. All those people blaming the "OS" really do not understand what they are talking about.

Re:"user permissions" != "full control"

[gweihir]

A clean installer will not work on anything except the files it came with and it will not run any code (package or otherwise) that a user gives to it with elevated privileges. And there we have the problem: On Windows, you are supposed to give root-permissions to far too many things, making them pretty meaningless.

Re:"user permissions" != "full control"

[Tapewolf]

As 7z must be able to read and write arbitrary files to do its job, there is _nothing_ the permission system can do, not even MAC like SELinux would help. All those people blaming the "OS" really do not understand what they are talking about.

An excellent point. A granular permission system similar to Android's would help in many cases, e.g. preventing a text editor from performing a DDOS attack, but it cannot stop a file manager or archiver from attacking the user's files.

Re:"user permissions" != "full control"

[Paul+Carver]

List five things that a non-admin user can't access/change/delete that can't be restored by wiping and reinstalling.

The important stuff on the computer is the stuff the "clueless user" created or modified, not the stuff that was preloaded or installed from download/auto-update/disc or deployed by an administrator on thousands of machines via push automation.

Re:"user permissions" != "full control"

Contrary to you apparently, I do understand what a permission system does and what it is for, but you don't understand that on most computers it serves (almost) no useful purpose. You're just proving Johannes's point: ‘The OS has literally zero value; if it gets wiped, it's 30 minutes work to rebuild it from scratch, less if you made an image. It's the data that is on the machine, completely unprotected by all those clever permission schemes, that will be lost if any compromised software is allowed to run.’

Re:"user permissions" != "full control"

And they are mostly useless because they either create so much hassle that you cannot get any work done, or you run into issues like that 7-Zip has do be able to access your documents in order to put them in archives and therefore something that sneaked in via 7-Zip can do the same.

Apologists Unite!

Derpitydoo open blahbityda source bliperado many hurrdurr eyes!

Version 16?

[SeaFox]

Why did the version numbering jump so much? It went from 9.38 to 15.05 in five months with no releases between those two.

Re:Version 16?

"7-Zip uses YEAR.REVISION scheme for version numbers."
https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/#1a6c/4be3/04ce

Re:Version 16?

"7-Zip uses YEAR.REVISION scheme for version numbers."

Interesting, but not entirely accurate. If you believe their version history, 9.20 stable release date was 2010-11-18; 9.38 beta date was 2015-01-03. The next version listed is 15.05 beta on 2015-06-14.
Well... maybe they NOW use a year revision scheme, but that didn't start until 15.05, apparently.

Re:Version 16?

That is still far too behind. We are in the year 2016, not 0016. Did we not learn anything from Y2K? ;)

Re:Version 16?

7-Zip uses YEAR.REVISION scheme for version numbers.

Interesting, but not entirely accurate. If you believe their version history, 9.20 stable release date was 2010-11-18; 9.38 beta date was 2015-01-03. The next version listed is 15.05 beta on 2015-06-14.
Well... maybe they NOW use a year revision scheme, but that didn't start until 15.05, apparently.

First, the history you linked isn't complete. The 7-Zip history appears to recognize only those versions where Igor Pavlov released source code, which he doesn't do for all pre-release versions, particularly those he classifies as alphas, e.g. v15.00 through 15.03. There is a comment to his v15.00 announcement which complains about his source code release/commit practices.

AIUI, the YEAR.REVISION scheme is always applied whenever the major version is changed, so for example, v4.00 alpha was released in 2004, and the first release after that was v4.20 in 2005. I cannot tell why Igor has ever bumped the major version, including v15.00, where there is no obvious major change compared to other betas/alphas before it. Maybe he added support for another compiler (e.g. latest MSVC) with v15.00, though that is only my guess. For all I know, on the first day of every month he rolls an old AD&D D20 for a saving throw versus major version increment, which he apparently failed on 01 April of last year - good thing it wasn't a red dragon breath attack...

- T

A total non story ..

[khz6955]

"Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions," ref

Re:A total non story ..

[cnettel]

Yeah, that's precisely what you would expect for a vulnerability in user space code. "Just" unzip a 7-zip file and suddenly any file in your home directory can be compromised... or gone. Run a vulnerability scanner on your e-mail server (with insufficient sandboxing), or on your web server for uploading files, and things get... worse.

Re:A total non story ..

[khz6955]

None of which would work except on the Intel platform, which is a story for another day ...

Reboot?

Why the hell did i have to reboot to install a opensource compression package? Never done that before...

Re:Reboot?

[bitwise+counselor]

7-zip is integrated into the windows shell.

Re:Reboot?

I didn't have to reboot. I just clicked install and it extracted to the existing 7zip folder.

Re:Reboot?

Zip, yes. 7zip, no.

Re:Reboot?

[denis-The-menace]

It depends what you DL.

If you DL an MSI or EXE Installer, you might need to reboot.

If you DL just the files, no reboot. (and no shell integration)

Re:Big pile of mess to clean up

Except even very skilled and organized coders makes bugs, even if less frequently, which means security bugs sometimes come in groups and sometimes not...

I'm not using UFS or HFS+ file system

So I'm safe.

...what?

[wonkey_monkey]

Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools

What?

Re:...what?

From what I can guess, certain security software (which may need to run with high level permissions) uses the 7zip code for their archive scanning. This means that the 7zip code may run with the same permissions, and if the exploit is executed, will run with high level permissions.

So how do you open ZIP files these days?

[DNS-and-BIND]

So, when installing a new machine, how do you choose to open zip files? Winzip has that irritating registration screen, Windows native zip opening lacks features, 7zip sucks too, so what do people use these days that's free and downloadable?

Re:So how do you open ZIP files these days?

[Tapewolf]

So, when installing a new machine, how do you choose to open zip files? Winzip has that irritating registration screen, Windows native zip opening lacks features, 7zip sucks too, so what do people use these days that's free and downloadable?

I doubt there are many implementations of 7zip out there. Chances are anything which can open a .7z file does so by using 7zip's SDK. It's public domain, so there's no reason not to unless you're working in a language that can't link to C libraries.

Re:So how do you open ZIP files these days?

What sucks about 7zip?
That's what I use exclusively.

Re:So how do you open ZIP files these days?

Winrar!

Re:So how do you open ZIP files these days?

"7zip sucks too"

Totally disagree.

On Windows it is the best compression tool (all impressive merits of the 7z format aside) simply because it does exactly what you want: installs windows shell commands, which really are invaluable:

  - Right click a folder and choose "Add to xxxx.7z" to make a 7z archive (last used settings) or "Add to xxxx.zip" to make a zip file (last used settings) or "Add to Archive" to bring up the options and customize everything. There are shell commands for sending via email, but I don't use those myself.

  - Right click any archive file and choose "Extract to ...." to dump the contents into a folder in the current directory. There is another option to bring up a dialog and choose where to put the contents.

At the end of the day, 99.9999% of archive management is covered by these few commands and they really just get the job done.

It's as nice as right clicking a folder of MP3s and choosing "Play in Winamp". It was good that this was added to VLC, but I also see that Microsoft copied this and now I have an annoying "Play in Windows Media Player" option there as well. I *know* I can get rid of it, but life's too short.

Re:So how do you open ZIP files these days?

Try running a temp directory on your ramdrive and then tell me what sucks about 7z.
It's as if these morons never saw a computer before.

Re:So how do you open ZIP files these days?

[nickersonm]

I prefer WinRAR.

Re:So how do you open ZIP files these days?

What dumb nigger would use a ramdrive? Are we back in 1985?

Re:So how do you open ZIP files these days?

I prefer WinRAR.

Then you prefer to suck.

Re:So how do you open ZIP files these days?

So, when installing a new machine, how do you choose to open zip files? ... Windows native zip opening lacks features, ... so what do people use these days that's free and downloadable?

I've never had any problems with Windows shell's built-in zip extraction, so I'm curious what zip features you think are missing.

Re:So how do you open ZIP files these days?

[drinkypoo]

They fixed the vuln in 7zip already. The download is tiny (1.3 MB for 64 bit) and the install/upgrade is nigh-instantaneous. The only thing I know of wrong with 7zip is that when you use drag and drop it extracts to a temp folder and then moves the files, which can have unfortunate results. If you use extract to, you don't have that problem. Hell, maybe they fixed that. Probably not :)

Re:So how do you open ZIP files these days?

WinRAR does all that, but better.

Re:So how do you open ZIP files these days?

I have seen the following archivers on Ninite.com:
7zip
PeaZip
WinRAR

I kept using 7zip, so I cannot speak for the other two.

Re:So how do you open ZIP files these days?

[EvilSS]

WinRAR isn't free. It costs $29 or you can choose to install it with some malware for free.

Re:So how do you open ZIP files these days?

try creating a password protected archive

or unzipping an aes256 password protected archive

Re:So how do you open ZIP files these days?

LOL. No thanks.

If aespipe won't work, I'll just tell the idiot who sent me the file not to do that again.

Re:So how do you open ZIP files these days?

Works fine. Are you a drag-and-drool moron by chance?

Re:So how do you open ZIP files these days?

[sexconker]

They have not fixed it, and the developer says he won't.
He gave some excuse about not being able to tell what the target of the drop point was until the extraction was done. I believe it was bullshit in 2010, and it's almost certainly bullshit now.

https://sourceforge.net/p/seve...

Re:So how do you open ZIP files these days?

They have not fixed it, and the developer says he won't.

I guess you didn't read all the way to the end of TFA, where it states that both vulnerabilities were addressed in v16.00. Also, see Igor Pavlov's reply to a post on this exact question in the v16.00 announcement, where he explicitly states that both bugs have been fixed in v16.00. So your second assertion, "the developer says he won't", is false. To be fair, I haven't seen confirmation of the fix by independent security researchers, so if you have support for your first assertion, "They have not fixed it", I'm sure we'd all be interested in seeing it.

He gave some excuse about not being able to tell what the target of the drop point was until the extraction was done. I believe it was bullshit in 2010, and it's almost certainly bullshit now.

https://sourceforge.net/p/seve...

Your link is to some problem with how Windows Explorer reports drag-and-drop targets to the source application. From the Talos analysis, the two vulnerabilities in question appear to be unrelated to Windows Explorer drag-and-drop. Did you link to the wrong old post?

I haven't manually coded a Windows Explorer drag-and-drop in nearly a decade, so I don't remember enough about it to tell if Igor's response in your link qualifies as "bullshit". Normally, I would go refresh my knowledge of the relevant COM interfaces, but your post already appears to be off base, so I'd say the onus is on you to cite the MSDN documentation supporting your accusation of "bullshit".

- T

Re:So how do you open ZIP files these days?

In what way is it better?

Re:So how do you open ZIP files these days?

WinRAR does the same thing.

Re:Big pile of mess to clean up

People do this because C and C++ are faster than the new ones.

Re:Big pile of mess to clean up

> a programming language so crude it does not even have a concept of an array, and hence bounds checking

Obviously, http://en.cppreference.com/w/c... doesn't exist in your world.

Re:Big pile of mess to clean up

[silentcoder]

The astonishing thing is that after 3 decades of stack-crashing causing more security bugs than any other type - there still isn't a native array/hash/list type added to C.
One can sanely argue that there are genuine cases where C's freedom to do almost anything is both needed and wanted - but how does that preclude giving sane, one-place-fixable standard data types for common tasks which you can deviate from only when you do, in fact, have to ?

Sure there are implementations of such in some libraries - but the moment you go there your programs portability and shippability is suddenly dependent on those of the library. This is the kind of functionality that ought to have been in ANSI-C decades ago so you could use it, and compile with any standards compliant compiler on any platform without fear.

Re:Big pile of mess to clean up

[TheRaven64]

He talked about array, not vector.

Re:Big pile of mess to clean up

[TheRaven64]

The astonishing thing is that after 3 decades of stack-crashing causing more security bugs than any other type - there still isn't a native array/hash/list type added to C.

There is, but the resulting language is called C++. The type system of C doesn't allow you to have container-of-X, where X is some other type, constructs without resorting to macros. A lot of systems (including Windows NT and Linux) use derivatives of the 4BSD headers for this, but they use a container-of pattern that involves casting from a pointer to member to a pointer to the outer structure in a way that depends on explicit casts and makes it easy to accidentally violate type safety.

Re:Big pile of mess to clean up

> C blah blan mumble 2016 mumble

And what are you proposing? PHP?

(those "if this were written in $MY_FAVE_LANG this wouldn't have happened" really miff me. Even worse those who are too coward not to name $MY_FAVE_LANG).

Pro tip: improve the craftspeople, then the tools.

Re:Big pile of mess to clean up

Yes, everything should be done in JavaScript or Flash.

"A few decades late"? WTF??

From 1992 onward C-2 Orange Book security design in Windows NT based OS (NT/2000/XP/7) was HUGE leap over Win9x & certainly Win3.x + below before it (in both stability & security).

They ALL have Access Control Lists + Group Policies, as far as security goes, on NTFS filesystems & registry level access by user name or group as well!

APK

P.S.=> Unless I misunderstood you, I have to ask you - have you actually USED any/all of those versions of Windows before that you made the statement you did? apk

Re:"A few decades late"? WTF??

[gweihir]

You misunderstand. The OS has had those for a while, but privilege escalation was not taken seriously on user machines and hence the level of privilege was mostly meaningless as escalation without permission was very easy.

What the heck does this mean?

[Bruinwar]

Can someone please tell me what this means to me?

I do not work in IT, I work in engineering. Our IT department keeps themselves clueless about CAD & CAD data management & somehow, mainly by default, I am the admin (in my spare time HA! what exactly is spare time?!). I've been using & deploying 7zip on all the clients I install our CAD platforms on.

Are all these machines at risk? Am I going to get an email from that IT guy yet again?

Re:What the heck does this mean?

Deploy the updated 7-Zip and EMET it, while you at it. Just make sure your CAD license servers or clients don't crash after some interaction between your anti-virus and EMET.

Re:What the heck does this mean?

[Anguirel]

Your local 7-zip copies should probably be updated, but they're not a serious risk. The major thing is to look for an update for your Anti-Virus (assuming you use one). Most AVs use 7z under the hood to scan archives. The vulnerability here would be if someone accidentally grabs a virus-laden archive that was crafted for this express purpose (or one is sent to your e-mail and auto-scanned on receipt before you even get a chance to delete it), the act of the AV scanning it would activate the flaw at the AV's level of access, allowing it to potentially do bad things to your system.

Re:What the heck does this mean?

[Bruinwar]

Thank you. This is why I tell people when they download a utility to delete it & download the latest version when they need it again. It's too bad I did not follow my own advice with 7-ZIP. Come Monday I will update all my clients & discuss the AV with the IT folks.

They are not going to like this at all. There is a really good chance they will freak out & make me remove all 7-ZIP installs completely. They may even have a emergency meeting where they will look to place blame & decide an engineer should not be doing IT work. What's funny is when I tell them about this it will be the first they've heard of it. None of them actually follow tech news at all.

So, ... was this a responsible disclosure

[DigitalSorceress]

Ok, so I read the article and my collegues and I use 7-zip quite a bit - so I am trying to figure out if the vulnerability was addressed in the latest release

I see the article was posted on the 11th, and 7-zip's latest builds seems to be v 16.0 which was published on 5/10 ... but looking at the 7-zip fix history:

http://www.7-zip.org/history.t...

All I see is that "some bugs were fixed" - this does not fill me with confidence.

So, I'm just trying to decide if the may 10 update and May 11 release is enough circumstantial evidence to say "ahh v16 fixes this so just update and we're good (assuming we don't have any other tools that bake in vulnerable past 7-zip sdk builds)

My guess is that updating to 16.0 will likely fix this in my directly installed copy of 7-zip.... though I don't like going on hope and circumstantial evidence.

Re:So, ... was this a responsible disclosure

[Mister+Transistor]

Um, last line (it's hard to concentrate that long, I know...) of TFA:

"The flaws were fixed in 7-Zip 16.00, which was released Tuesday."

Re:So, ... was this a responsible disclosure

[denis-The-menace]

I looked too and I saw no mention of this issue in 7-Zip closed tickets.

So is this issue for real or does 7-Zip maintain a separate Bug DB?

Re:So, ... was this a responsible disclosure

[EvilSS]

Irony, you haz it.

Re:Big pile of mess to clean up

What program has ever been 100% free of security holes? Have you ever looked at metasploit and seen how many vulnerabilities are there alone?

Re:Big pile of mess to clean up

Pro tip: improve the craftspeople, then the tools.

Wrong. Dead wrong. This is the usual brogrammer attitude. I've been doing this stuff for 30 years, and I have heard a lot of it.

It is extremely difficult and time consuming for humans to program safely in C. Human brains do not work that way. Yes, that includes your brain. Yes, I know you think you're an exception. You are not. And out here in the real world, your management is not going to give you the time to do the extremely tedious checking necessary to avoid running off the ends of buffers in a language where every array reference is expressed in terms of arbitrary un-bounds-checked pointer arithmetic and pointer type casts are a major idiom.

What would be better? Almost anything. 1970s languages like Ada, if you turn on bounds checking. Managed languages like Java. Languages with halfway decent type systems like Haskell or even OCaml or Rust (just stay away from unsafe extensions). Even super dangerous hyper-dynamic toy scripting languages like Python or JavaScript are safer than C.

You can go ahead and write your 10 line inner loop in C, which will get you 95 percent of the performance you're about to complain about. You should not be writing your file parser in it.

Re:Big pile of mess to clean up

JAVA is the only answer!!!! all hail the Oracle.

nspawn

[emil]

I'm pretty sure that the BSD that Bill Joy ran on his VAXes could not nspawn a container, so I might interject that the Linux privilege system has changed slightly.

Now, if you don't carefully populate your container, you can easily cause more security problems than you solve.

Re:nspawn

[gweihir]

I fully agree to that. And from my observations, the way people run containers, they usually get all the original vulnerabilities and in addition those of the container as well. They think that a container is somehow as good as a separate machine.

Re:Big pile of mess to clean up

[Immerman]

Spoken like someone with no understanding of the limitations of the hardware their code is running on.

Conditional branching is generally by *far* the slowest thing you can do on a modern CPU, since it can completely stall out the instruction pipeline, especially if the next instruction can't proceed safely until the conditional is resolved (like, say, "do not access the indexed memory location until we've confirmed the index is valid). An Intel Core i5 has a pipeline depth of 14, so while most common instructions complete at a rate of 1 per tick, a conditional jump can stall things for up to 14 ticks. A good compiler can (often) help immensely by reorganizing instructions so that the the conditional result isn't immediately critical, but if you're doing any sort of serious array processing, like say matrix multiplication, bounds-checking is probably going to be responsible for the vast majority of the total CPU time used.

Of course there's lots of very common situations where actually traversing the array is only a tiny percentage of the work done on each element, and the performance penalty is thus tiny enough to be well worth the safety gains. Which is why C++ includes container classes that *do* offer bounds checking - and those should be used wherever appropriate, as they also offer lots of other conveniences. But one of C and C++s great claims to fame, one of the reasons they are still some of the most widely used languages on the planet, is that they combine the performance of hand-tuned assembly with the convenience of a high-level language. And its primitive data types must necessarily reflect the compromises required for that to be attainable.

Bottom line: if you don't have the skill and/or discipline necessary to safely use the footgun, DON'T TOUCH THE FOOTGUN. The C++ standard library makes it relatively easy to avoid the most dangerous pitfalls, with performance penalties no worse (and often much better) than languages where such constructs are part of the language itself. Even skilled professionals should probably steer clear of naked arrays and pointer manipulation unless they have a reason to do so. It's perhaps disappointing though that you typically have to explicitly invoke bounds checking with the .at(i) function while the more concise [i] notation bypasses it.

Badly worded

[DrYak]

7z is a software used to manipulate archives in numerous format (including a few obscure format - one of the most compatible on the market).

Lots of security software like antivirus need to be able to process archives (e.g.: an antivirus needs to scan all the files packaged into a ZIP archive).
Some of these security software use 7z as an archive engine.

7z has a vulnerability when unpacking a specially crafted archive.
This flaw will extend to security sofware that rely on 7z as a component to help them handle archives.

Hence "Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools"

By sending an e-mail with a specially crafted ZIP file attachment, you can b0rk the mail server using an exploit that affects the antivirus in charge of scanning incomming attachments, because that antivirus relied on 7z.

That means

Re:Big pile of mess to clean up

Rust. Duh.