
A serious security vulnerability has been found in 7-Zip - doener
https://www.pcgamer.com/a-serious-security-vulnerability-has-been-found-in-7-zip/
======
stephengillie
Previous discussion:
[https://news.ycombinator.com/item?id=16985460](https://news.ycombinator.com/item?id=16985460)

------
kbaker
Release notes for version 18.05, 2018-04-30 include:

> CVE-2018-10115 - Incorrect initialization logic of RAR decoder objects in
> 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing
> remote attackers to cause a denial of service (segmentation fault) or
> execute arbitrary code via a crafted RAR archive.

Excellent article from the bug discoverer here:
[https://landave.io/2018/05/7-zip-from-uninitialized-
memory-t...](https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-
remote-code-execution/)

Some good discussion in the linked HN discussion from a couple of days ago.

~~~
hartator
Doesn’t seem that big, if you open a RAR from a shaddy source, I would expect
to get malwares anyway.

~~~
FRex
I would not. It's not reasonable that a pure data viewer runs something. This
is like saying viewing a script in notepad can run it and is expected to
infect you. And for better or worse antiviruses use 7z dll to scan archives
too.

~~~
fjsolwmv
Remember when Microsoft Outlook used to automatically execute programs sent to
you in email?

~~~
FRex
I'm not that old but I'd bet that it wasn't received well and caused
infections and that's why it 'used to' and doesn't anymore.

A similar thing is with ldd (I don't know if this still works and can't search
or check right now):
[https://news.ycombinator.com/item?id=902958](https://news.ycombinator.com/item?id=902958)

------
shakencrew
previously discussed at
[https://news.ycombinator.com/item?id=16985460](https://news.ycombinator.com/item?id=16985460)

------
komali2
Haha, that sourceforge 7zip "trailer" at the end was great. I wonder if anyone
actually found that useful? Like, if they found the video, I assume they could
have found and installed 7zip...

~~~
fjsolwmv
Websites put videos on pages because watcing a video increases tome on page,
and time-on-page metrics that feed into automated advertising spend. The
website needs nothing from the video besides you spending time playing it.

------
EODjugornot
This is some real news. I use 7-Zip quite often. Being relatively new to the
infosec community, I find it to be fun, and a learning challenge to keep up
with any new exploits!

~~~
0xdeadbeefbabe
Yes, too true; old infosecers resemble Carrie Nation
[https://en.wikipedia.org/wiki/Carrie_Nation](https://en.wikipedia.org/wiki/Carrie_Nation).

------
zython
Isn't this old news or am I missing something ?

