7-Zip could put many other software products at risk

The 7-Zip software can pack and unpack files using a large number of archive formats, including its own 7z format, which is more efficient than ZIP. Its versatility and open-source nature make it an attractive library to include in other software projects that need to process and deal with archived files.

Two vulnerabilities recently patched in 7-Zip could put at risk of compromise many software products and devices that bundle the open-source file archiving library. The flaws, an out-of-bounds read vulnerability and a heap overflow, were discovered by researchers from Cisco’s Talos security team. They were fixed in 7-Zip 16.00, released Tuesday.

Previous research has shown that most developers do a poor job of keeping track of vulnerabilities in the third-party code they use and that they rarely update the libraries included in their projects.

“7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today,” the Cisco Talos researchers said in a blog post. “Users may be surprised to discover just how many products and appliances are affected.”

The out-of-bounds read vulnerability, tracked as CVE-2016-2335, stems from 7-Zip’s handling of Universal Disk Format (UDF) files, while the heap overflow condition, CVE-2016-2334, can occur when handling zlib compressed files.

A search on Google reveals that 7-Zip is used in many software projects, including in security devices and antivirus products. Many custom enterprise applications also likely use it.

To exploit the flaws, attackers can craft specially crafted files in those formats and deliver them in a way that would cause the vulnerable 7-Zip code to process them.

You may also like...