Topic: 7z vulnerabilty
The version of 7z you use has a known vulnerability.
http://secunia.com/advisories/29434/
Please upgrade your version to the latest one.
Great program, keep the good work!
- OverFlow
- DriverPacks Administrator & BASE Developer
- Offline
Re: 7z vulnerabilty
Um an unsubstantiated claim with zero details about the Supposed exploit, name of offending code, payload, distribution statistics, Removal instructions for said exploit, ect... by an AV company that is not in a top five list, carries little weight here..
Espacialy when the title of said report is "7-zip Unspecified Vulnerability". That is just a little to vague to inspire action...
Our usage with the DriverPacks is during an install from a read only media before any network conections would possably be made.
Zero exposure... (to a problem that seemingly doesn't exist anyway) Think about it for a minute...
DP BartPE Tutorial DP_BASE Tutorial HWID's Tool Read BEFORE you post UserBars!
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
Re: 7z vulnerabilty
There is more informations on the links in the page below:
http://cve.mitre.org/cgi-bin/cvename.cg … -2008-6536
The point is, it is a simple fix (no change to source code, just replacin the executables), and the more closed doors, the better. It probably isn't a serious vulnerability, and in the scope it is used in the program is almost imposible to reproduce. Just reporting, if you want you could upgrade it. We use a tool in our office that tells us when there's any software that has a vulnerability reported, and that's why I reported. I've already fixed it in my machine (replacing the exe and dll from 7 zip, but I thought it could help others with similar tools, and using your software.
Salutes!
- OverFlow
- DriverPacks Administrator & BASE Developer
- Offline
Re: 7z vulnerabilty
from your link
This CVE Identifier has "Candidate" status and must be reviewed and accepted by the CVE Editorial Board before it can be updated to official "Entry" status on the CVE List. It may be modified or even rejected in the future.
It is not an official report.... "it is only a candidate and may be removed"
YOU have Still NOT provided any reliable source that indicates any problem at all, of anything at all...
not only is it not a serious vunerability... there is in fact no evidence of a vunerability at all...
DP BartPE Tutorial DP_BASE Tutorial HWID's Tool Read BEFORE you post UserBars!
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
Re: 7z vulnerabilty
It has been submitted to the CVE less than a month ago, and thus it is still marked as "Candidate". Of course, each company has their own policies regarding security. Secunia, which IS a reliable source of information, has been faster to declare it as a vulnerability, which is normal being an smaller private company. CVE, being a bigger and more "formal" (it is funded by Homeland Security), probably will take a little more time to declare it as a vulnerability, or not declare it at all.
However, i just reported it because it is EASY to change, and even if 7-zip has a vulnerability or not, there will be less chance of bugs using a newer version, than a 2 year old version (just see the changelog to see the number of bugfixes in the last 2 years).
And excuse me if i'm being rude, im not a native speaker and sometimes i express myself in an unpolite way.
Cheers.
- OverFlow
- DriverPacks Administrator & BASE Developer
- Offline
Re: 7z vulnerabilty
no offence taken... and many of our users are not native to English, I am used to that 
the thing is we don't have any bugs...
Because of our unique usage of the 7zip application we are not exposed now,
nor would we be exposed in the future to any potential exploit of 7zip
- especially an unreported, unspecified or more likely a non existent one...
There is no benefit for us to update 7zip, and updating could cause issues with our apps.
Un7zip our custom app, is not distributed by 7zip.
and therefore is not nor would it be affected by your indicated reports...
(Un7zip is not a 7zip application - it is our own custom app)
Un7zip is extensively tested and known for a fact to be faster with the currently used 7zip dll...
I will not give that up without a valid reason.
No valid reason has been presented yet.
Since no info about the alleged exploit is available
it is most likely that it will not even affect our custom Un7zip app.
Upgrading will definitely increase the already lengthy extraction times during the DriverPacks installation.
We are glad you brought it to our attention!
But I see absolutely no reason to change anything...
At least not at this time... and certainly not based on unsubstantiated rumor.
DP BartPE Tutorial DP_BASE Tutorial HWID's Tool Read BEFORE you post UserBars!
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
Re: 7z vulnerabilty
Loud and clear
We'll have to make an exception on our software detector.
Thanks, anyway.
- OverFlow
- DriverPacks Administrator & BASE Developer
- Offline
Re: 7z vulnerabilty
yeah... we get reports every other month about Mute.exe too...
But it is the AV vendor(s) not the mute.exe app that is the problem
usually it is AVG
(they are absolutely the worst AV - if your rating is based on the reporting of false positives)
- if i had a dollar for every false positive reported here i would be rich 
Again, Thank YOU
It is better to be safe than sorry...
DP BartPE Tutorial DP_BASE Tutorial HWID's Tool Read BEFORE you post UserBars!
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
- OverFlow
- DriverPacks Administrator & BASE Developer
- Offline
Re: 7z vulnerabilty
I got called on the carpet for my closing statement above in a Very Nice and Well Worded e-mail...
I received a link to here http://www.ee.oulu.fi/research/ouspg/pr … 0/archive/
Apparently this was all started by a a college research paper that displays the POTENTIAL to exploit many archive programs like 7zip and many others.
i wish to publicly apologize, and withdraw the word 'rumor'. Since it is actually based on a published Thesis paper at a University.
that just leaves us with unsubstantiated 
LOL (Show me a link to a SARC report or similar)
Don't ever hesitate to post a 'heads up' to a problem we may have - or potentialy could have.
We do want to know!
At this time there is just nothing for us to worry about since no known exploits actually exist in the wild 
Once an exploit was exposed we could then evaluate any potential exposure from a bootable ROM (DVD) (probably NIL)
(it is usually at this point one of my fellow team members will shoot me down LOL)
I admire your persistence and professionalism Xabib... I hope we see more of you in the future~
Have a great day and please accept our warm welcome.
DP BartPE Tutorial DP_BASE Tutorial HWID's Tool Read BEFORE you post UserBars!
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
- mr_smartepants
- Administrator & DriverPacks Developer
- Offline
Re: 7z vulnerabilty
OverFlow wrote:
It is better to be safe than sorry...
So now we are BOTH "safe" AND "sorry"
Read BEFORE you post. HWID tool DriverPacks Tutorial DONATE!
Not all heroes wear capes, some wear Kevlar!
Not all heroes wear capes, some wear Kevlar!
- OverFlow
- DriverPacks Administrator & BASE Developer
- Offline
Re: 7z vulnerabilty
ROFL...
Well yeah... It would seem so!
DP BartPE Tutorial DP_BASE Tutorial HWID's Tool Read BEFORE you post UserBars!
The DriverPacks, the DP_Base program, and Support Forum are FREE!.
The DriverPacks, the DP_Base program, and Support Forum are FREE!.