Products > Security

7-zip vulnerability - update now

(1/3) > >>

bingo600:

https://cybersecuritynews.com/7-zip-vulnerability-arbitrary-code/

SiliconWizard:
There's something I dont get in this article.
They mention Zstd, which is indeed used in various critical parts of Linux and other systems, but Zstd is not 7-zip and not provided by 7-zip AFAIK.
Can anyone enlighten me?

sleemanj:

--- Quote from: SiliconWizard on November 25, 2024, 10:18:04 pm ---There's something I dont get in this article.

--- End quote ---

My readings is that the bug is in 7-zip's particular implementation of Zstd.

https://github.com/mcmilk/7-Zip/blob/14d4b3f5e43e1c9bf23d314dcb8fb76887f6e855/C/ZstdDec.c




SiliconWizard:
Ah thanks, is the 7-zip's zstd decoder really used in anything critical in Linux? I sure wasn't expecting that. Maybe that is so?

I looked at what seems to be the culprit:
https://github.com/mcmilk/7-Zip/commit/14d4b3f5e43e1c9bf23d314dcb8fb76887f6e855#diff-896855d0e24931a930fa2e2a5e6c4a92d3589a70c1f8436d76e0f3c673888624

ejeffrey:

--- Quote from: SiliconWizard on November 25, 2024, 11:16:22 pm ---Ah thanks, is the 7-zip's zstd decoder really used in anything critical in Linux? I sure wasn't expecting that. Maybe that is so?

--- End quote ---

Not that I can tell.  I think the article was just weirdly written.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod