-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RAR extraction with older 7zip can cause memory corruption (CVE-2018-5996) / ZIP Shrink vulnerability (CVE-2017-17969) #1478
Comments
Not seen as much with Windows archives and Chocolatey, but there is a CVE in RAR extraction in older versions of 7zip. Upgrade to the latest edition to patch the vulnerability. References: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969
Not seen as much with Windows archives and Chocolatey, but there is a CVE in RAR extraction in older versions of 7zip. Upgrade to the latest edition to patch the vulnerability. References: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969
* stable: (35 commits) (GH-1478) Upgrade 7z to 18.1 (GH-1490) Remove quotes/apostrophes surrounding parameter (maint) virtualize get_package_information (maint) virtualize all calls in NuGetService (GH-100) Log without colorization (GH-100) add no color feature/option (GH-100) add no color log4net config files (maint) formatting (#1489) Log PowerShell contents w/out formatting (maint) Some options could be achieved w/FOSS (maint) Add instructions for strong naming NuGet (maint) update licensing code (GH-1488) License validation logging (specs) add pack scenario nuspec (maint) Whitespace changes (GH-1500) Disable re-validation of Chocolatey License File (doc) update etiquette statement (build) allow builds with any .NET 4.x (doc) update licensed changelog (maint) update licensing ... # Conflicts: # README.md
Workaround# Ensure we can run everything
Set-ExecutionPolicy Bypass -Scope Process -Force
try
{
[System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor [System.Net.SecurityProtocolType]::Tls -bor [System.Net.SecurityProtocolType]::Ssl3
}
catch
{
Write-Warning "This may fail, if you see TLS errors, please download manually."
}
# Download files
Invoke-WebRequest -UseBasicParsing -Uri https://cdn.rawgit.com/chocolatey/choco/1f8024c102cebe0cf2628cdab4e322416376036c/src/chocolatey.resources/tools/7z.exe -UseDefaultCredential -OutFile "$env:ChocolateyInstall\tools\7z.exe"
Invoke-WebRequest -UseBasicParsing -Uri https://cdn.rawgit.com/chocolatey/choco/1f8024c102cebe0cf2628cdab4e322416376036c/src/chocolatey.resources/tools/7z.dll -UseDefaultCredential -OutFile "$env:ChocolateyInstall\tools\7z.dll" |
Got the e-mail alert for this, but I can't upgrade to 0.10.9 via
|
Same here, on this end. |
Howdy folks - https://chocolatey.org/packages/chocolatey/0.10.9-beta-20180223 is still in moderation. It will automatically approve in the next half hour to an hour - |
Magic works, thanks for the heads up. With puppet it will be a breeze ;) |
The text was updated successfully, but these errors were encountered: