You are here

Home » Forums » General Forums » General Discussion

Security Flaw in 7-Zip DLL affecting multiple Portable Apps and Portable Apps Platform

4 posts / 0 new
Log in or register to post comments
Last post
May 13, 2016 - 6:27am
#1
PortableGood
Offline
Last seen: 2 months 3 weeks ago
Joined: 2014-10-06 11:51
Security Flaw in 7-Zip DLL affecting multiple Portable Apps and Portable Apps Platform

Note that a CRITICAL security flaw has been discovered in 7-Zip.

All apps that use 7-Zip libraries can also be affected by this severe vulnerability.

This likely includes quite a few of the Portable Apps offered on this site, and may include the Portable Apps Platform itself.

The 7-Zip team has released a new version of their tool that (hopefully) patches the vulnerability, but every app that uses the vulnerable libraries also needs to be updated with patched versions of the libraries... otherwise they will still be vulnerable to this issue.

For details, see https://www.ghacks.net/2016/05/13/7zip-vulnerability-affects-security-so...

[Title updated from "SECURITY ALERT" by mod JTH to not be scary all-caps and be descriptive. JTH changed title to "7-Zip Security Update". Title then adjusted by OP to more accurately reflect the real problem and that it affects much more than 7-Zip.]

Top
May 13, 2016 - 1:01pm
John T. Haller
John T. Haller's picture
Offline
Last seen: 5 hours 8 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Everything Updated

Both 7-Zip Portable and PeaZip Portable have been updated as well as tools which utilize 7-Zip internally (PA.c Installer, PA.c AppCompactor). The PortableApps.com Platform has also been updated (it uses 7-Zip as part of its backup and restore feature).

Sometimes, the impossible can become possible, if you're awesome!

Top
May 15, 2016 - 5:32am
(Reply to #2)
BadPointer
Offline
Last seen: 7 years 11 months ago
Joined: 2016-05-15 04:56
It's not as bad it sounds

Apps that are adding 7-Zip support via LZMA SDK were never affected since the library doesn't even include the files(HfsHandler.cpp, UdfIn.cpp) that had the vulnerability. However some tools are using 7za.exe and they must be updated to 7-zip 16.0 to patch the vulnerability.

Top
May 21, 2016 - 7:27pm
(Reply to #3)
PortableGood
Offline
Last seen: 2 months 3 weeks ago
Joined: 2014-10-06 11:51
Thank you for updating many

Thank you for updating many of the affected apps and the Portable Apps Platform so quickly. I would have really appreciated a quick "thank you" for taking my time to report this issue.

From what I can tell, WinMerge is also affected by this security issue and has not been patched.

Note that, according to the WinMerge2011 developer, it's not as simple as replacing a DLL. For details, see https://bitbucket.org/jtuc/winmerge2011/issues/107/security-issue-7-zip-...

Despite its name, WinMerge2011 is actually a newer and improved fork of WinMerge. It will likely receive the needed security patches sooner than the old WinMerge.

Top
Log in or register to post comments