7-zip remote code execution

So this is the power of open source

The power of open source is that the vulnerability has been discovered at all. Just imagine what kind of spaghetti you might have inside your proprietary programs, of which source you aren't even allowed to look at.

the unrar parts aren't open-source..

Aren't there checks in place on windows so that can't happen? Signed Libraries and stuff.

The Windows package manager updates lib7z and all programs that use it are automatically safe. Just run
win-get update
win-get upgrade
Done

Based Microsoft

Thanks for letting us know there's an update, OP!

For every one security risk / bug found in FLOSS, there are 10 that aren't found/documented/reported/corrected in proprietary software.

>So this is the power of open source
well, yes, in a sense. If it were proprietary the 3 letter agencies of the world would have documented and weaponized this vulnerability instead of releasing the info to the public for a fix.

It's third-party software that uses the 7z.dll, not Windows. You can easily replace it assuming the program doesn't do hash checks. AV's probably do.

I use kaspersky for my AV, and they don't seem to use 7z as a module

Attached: screenshot.17.jpg (905x195, 110K)

bullshit.
let's recap
>7-Zip’s RAR code is mostly based on a recent UnRAR version, but especially the higher-level parts of the code have been heavily modified. As we have seen in some of my earlier blog posts, the UnRAR code is very fragile. Therefore, it is hardly surprising that any changes to this code are likely to introduce new bugs.
so hobbyist heavily modify fragile code and introduce new bugs.
if rarlabs would have kept unrar's source under wraps this wouldn't have happened.

good thing I don't use RAR in 2018

>If it were proprietary the 3 letter agencies of the world would have documented and weaponized this vulnerability instead of releasing the info to the public for a fix.
So what section of the GPL, BSD or MIT licenses compels an alphabet soup to release that information, exactly?

So does this only affect rar files that are extracted with 7zip?

did you even read it?
has nothing to do with whether the format is .rar or not.

NO IT EFFECTS ANYTHING THAT USES 7Z

READ MY NIGGER

>1. Some people mentioned that this would "only affect RAR files" and it would be safe to extract 7z files with 7-Zip prior to version 18.05. This is wrong, because 7-Zip detects the file type from the magic numbers at the beginning of the file. So the exploit can be renamed to 'exploit.7z' and it works just as well.

But he mentions in the article that the RAR implementation was customized by the 7-zip developer which brought the exploit in.
Your quote just says that 7-zip doesn't look at file extension but detects extraction algorithm by looking inside file. So you could rename .rar to .7z and still get the wrong extraction algorithm even though you didn't intentionally open a rar file.

On windows the update solves the problem

But on linux the p7zip is behind for the updates so there it might be a problem.
But p7zip doesn't have rar support (the 7zr executable). If you have p7zip-full installed then you can extract rar files with 7zip.

i feel sorry for anyone that used tor to download illegal porn.

youre fucked, kek

No1 cares, about abandoned obsolete software.

>if rarlabs would have kept unrar's source under wraps rar would be fully dead instead of mostly.
FTFY

TL;DR

I constantly download a ton of warez. Does this mean that some of those archives could've contained malware?

>But p7zip doesn't have rar support (the 7zr executable).
upstream p7zip has rar support

>If you have p7zip-full installed then you can extract rar files with 7zip.
don't confuse debianism with upstream.
Debian is known for patching everything to shit:
sources.debian.org/src/p7zip/16.02 dfsg-6/debian/patches/01-makefile.patch/

I uninstalled p7zip-full and p7zip.
Then I reinstalled only p7zip.
I tried to extract a .rar renamed as .7z
It didn't work.

.7z isn't that common on linux though. So I can live without it.

Yes.

However I highly doubt anyone else knew about this exploit outside of NSA. Also I think people give NSA too much credit, sort of a catch all for exploits.

>- The vulnerability in RAR unpacking code was fixed (CVE-2018-10115).

So it's unrar's fault?

are you really this retarded.
splitting upstream p7zip into p7zip and p7zip-full is Debian's doing. (or some other distro)

why do you get angry?
The point is: I cant unpack rars with 7zip anymore.
And that's the vulnerability as far as i understand.

>I constantly download a ton of warez
You deserve whatever you have coming.

Attached: jewishAdobePiracy.jpg (845x406, 59K)

>this just in
>some old out of date & replaced software has vulnerabilities
>make sure to update to have fixed security holes

wew lad

Thanks op I have version 17beta

>tfw just realise that I still use 17.01
What do I miss?

Attached: 1501952208029.jpg (1000x700, 281K)

>tfw still on 17.0X

how hard is it to implement a feature that notifies the user of new updates within the program?

thanks for the heads up, i was still on version 16