17 comments

[ 2.7 ms ] story [ 56.5 ms ] thread
Release notes for version 18.05, 2018-04-30 include:

> CVE-2018-10115 - Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

Excellent article from the bug discoverer here: https://landave.io/2018/05/7-zip-from-uninitialized-memory-t...

Some good discussion in the linked HN discussion from a couple of days ago.

Doesn’t seem that big, if you open a RAR from a shaddy source, I would expect to get malwares anyway.
It doesn't have to be a .RAR file.

7-Zip infers filetype (by necessity in many cases), so any file that you open with 7-zip can trigger the problem.

Why would open a .png or something in the like in 7-Zip?
You wouldn't.

People definitely would open: .zip, .7z, .gz, .xz, .iso, ...

7-Zip libraries are commonly used in third party applications, like… antivirus.

So, your antivirus can scan your .png files, try to uncompress them as rar (based on their content) and execute malicious code without you having even the slightest idea of what is happening.

I would not. It's not reasonable that a pure data viewer runs something. This is like saying viewing a script in notepad can run it and is expected to infect you. And for better or worse antiviruses use 7z dll to scan archives too.
Remember when Microsoft Outlook used to automatically execute programs sent to you in email?
I'm not that old but I'd bet that it wasn't received well and caused infections and that's why it 'used to' and doesn't anymore.

A similar thing is with ldd (I don't know if this still works and can't search or check right now): https://news.ycombinator.com/item?id=902958

Doesn't that mean anything that can handle RAR needs to be more safe, not less safe?
Isn't this old news or am I missing something ?
Haha, that sourceforge 7zip "trailer" at the end was great. I wonder if anyone actually found that useful? Like, if they found the video, I assume they could have found and installed 7zip...
Websites put videos on pages because watcing a video increases tome on page, and time-on-page metrics that feed into automated advertising spend. The website needs nothing from the video besides you spending time playing it.