🚨 SECURITY PSA - 7ZIP VULN🚨

neatchee@urusai.social · 1 year ago

🚨 SECURITY PSA - 7ZIP VULN🚨

Not Simon 🐐@infosec.exchange · 1 year ago

@neatchee it’s a fake proof of concept https://therecord.media/fake-zero-day-7Zip

CC_FL_IT_GUY@phpc.social · 1 year ago

@neatchee
If you read the write up, it sounds like the 7-Zip maintainers have not released a version yet with a patch. Current release is 24.09… watch for something newer.

neatchee@urusai.social · 1 year ago

@[email protected] CVE indicates 24.08 was the patched version

CC_FL_IT_GUY@phpc.social · 1 year ago

@neatchee That good to know. The original report from the group that found it said they were unaware of any patched version being released, but they had not heard from the maintainers yet. I usually check for an update once a month anyway.

Nazo@urusai.social · 1 year ago

@neatchee Thanks for the warning. I make a lot of use of 7-Zip.

Zstandard is used in a lot of things. This could be problematic as a whole.

neatchee@urusai.social · 1 year ago

@[email protected] supply chain attacks are the favorite these days :/

Nazo@urusai.social · 1 year ago

@neatchee Sadly an all too accurate statement.

Luckily the version of 7-Zip with the fix was back in August, so I’m guessing this CVE has been well known across most things. Each of my Linux systems were probably ok by the time I installed the current versions even (let alone updates.)

I did need to update the Windows partition though. Haven’t booted it in ages, much less updated 7-Zip…

TootSweet@lemmy.world · 1 year ago

Why do I hear specifically about vulnerabilities in compression programs so much more than in other kinds of software?

neatchee@urusai.social · 1 year ago

@[email protected] because it’s specifically software that is about opening and processing arbitrary payloads.