Just karma whoring here, since I noticed the announcement and figured the news needs to spread. Cisco Talis discovered a number of bugs in 7zip versions prior to 16.00, some of which lead to arbitrary code execution when processing certain malformed archives: http://ift.tt/1TaxjJF http://ift.tt/21WOh42 Versions from 9.20 to 15.00 are said to contain some or all of the bugs. The comment stream in the 2nd link contains this remark: "By default 7zip will pass inputs through all of its decompression routines so blocking certain extensions will not work unless you also pass a command line argument that specifies the parser to use. These bugs will trigger with a malformed UDF/HFS file with a .zip extension unless the added command line argument is used." Upgrading to 7zip V16.00 ("as soon as possible") is said to fix the vulnerabilities. The official 7zip changelog at http://ift.tt/ZxaMzn for 16.00 just says "Some bugs were fixed". Nick
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment