The 7-Zip archive tool uses updated installation packages to close two security gaps that attackers can use to inject malicious code into victims. Opening carefully prepared files is sufficient for this. Therefore, users should install the available update quickly.
Advertisement
Version 23.00 of 7-Zip, which was released at the end of May, already closes the security gaps. Version 23.01 from June is now up-to-date and on the Download page of 7-Zip available.
7-Zip: High-risk vulnerabilities
The Zero Day Initiative found and reported the gaps. On the one hand he can Parser for SquashFS file images write outside the allocated memory areas because it does not adequately check the transferred data. Attackers can exploit the vulnerability by tricking victims into opening modified files (CVE-2023-40481, CVSS 7.8risk “high“).
However, when processing 7-Zip archives, integer underflow can occur because the code does not adequately validate and filter values within before using them. Prepared archives can also trigger the error (CVE-2023-31102, CVSS 7.8, high).
The Changelog to version 23.00 of 7-Zip does not mention fixing security vulnerabilities. Since version 23.01 is now available, you should update to this version right away.
No automatic update
Advertisement
7-Zip does not have an integrated update mechanism, neither to trigger manually nor an automatic version. Therefore, 7-Zip users must download and run the installation package themselves to update the software to the corrected state. Under Linux, on the other hand, the software management of the distribution used helps with the update search and installation.
Vulnerabilities in the WinRAR archiving program have only recently become known. Here, too, attackers could have foisted malicious code on victims with manipulated files.
(dmk)