The flaws could allow arbitrary code execution when the 7-Zip library processes specially crafted files
Two vulnerabilities recently patched in 7-Zip could put at risk of compromise many software products and devices that bundle the open-source file archiving library.
The flaws, an out-of-bounds read vulnerability and a heap overflow, were discovered by researchers from Cisco’s Talos security team. They were fixed in 7-Zip 16.00, released Tuesday.
The 7-Zip software can pack and unpack files using a large number of archive formats, including its own 7z format, which is more efficient than ZIP. Its versatility and open-source nature make it an attractive library to include in other software projects that need to process and deal with archived files.
Previous research has shown that most developers do a poor job of keeping track of vulnerabilities in the third-party code they use and that they rarely update the libraries included in their projects.
“7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today,” the Cisco Talos researchers said in a blog post. “Users may be surprised to discover just how many products and appliances are affected.”
A search on Google reveals that 7-Zip is used in many software projects, including in security devices and antivirus products. Many custom enterprise applications also likely use it.
The out-of-bounds read vulnerability, tracked as CVE-2016-2335, stems from 7-Zip’s handling of Universal Disk Format (UDF) files, while the heap overflow condition, CVE-2016-2334, can occur when handling zlib compressed files.
To exploit the flaws, attackers can craft specially crafted files in those formats and deliver them in a way that would cause the vulnerable 7-Zip code to process them.