Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RAR extraction with older 7zip can cause memory corruption (CVE-2018-5996) / ZIP Shrink vulnerability (CVE-2017-17969) #1478

Closed
ferventcoder opened this issue Jan 24, 2018 · 5 comments

Comments

@ferventcoder ferventcoder added this to the 0.10.9 milestone Jan 24, 2018
@ferventcoder ferventcoder self-assigned this Jan 24, 2018
ferventcoder added a commit to ferventcoder/choco that referenced this issue Feb 20, 2018
Not seen as much with Windows archives and Chocolatey, but there is a
CVE in RAR extraction in older versions of 7zip. Upgrade to the latest
edition to patch the vulnerability.

References:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969
ferventcoder added a commit that referenced this issue Feb 20, 2018
Not seen as much with Windows archives and Chocolatey, but there is a
CVE in RAR extraction in older versions of 7zip. Upgrade to the latest
edition to patch the vulnerability.

References:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969
ferventcoder added a commit that referenced this issue Feb 20, 2018
* stable: (35 commits)
  (GH-1478) Upgrade 7z to 18.1
  (GH-1490) Remove quotes/apostrophes surrounding parameter
  (maint) virtualize get_package_information
  (maint) virtualize all calls in NuGetService
  (GH-100) Log without colorization
  (GH-100) add no color feature/option
  (GH-100) add no color log4net config files
  (maint) formatting
  (#1489) Log PowerShell contents w/out formatting
  (maint) Some options could be achieved w/FOSS
  (maint) Add instructions for strong naming NuGet
  (maint) update licensing code
  (GH-1488) License validation logging
  (specs) add pack scenario nuspec
  (maint) Whitespace changes
  (GH-1500) Disable re-validation of Chocolatey License File
  (doc) update etiquette statement
  (build) allow builds with any .NET 4.x
  (doc) update licensed changelog
  (maint) update licensing
  ...

# Conflicts:
#	README.md
@ferventcoder
Copy link
Member Author

Workaround

# Ensure we can run everything
Set-ExecutionPolicy Bypass -Scope Process -Force

try
{
  [System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor  [System.Net.SecurityProtocolType]::Tls -bor [System.Net.SecurityProtocolType]::Ssl3
}
catch
{
  Write-Warning "This may fail, if you see TLS errors, please download manually."
}

# Download files
Invoke-WebRequest -UseBasicParsing -Uri https://cdn.rawgit.com/chocolatey/choco/1f8024c102cebe0cf2628cdab4e322416376036c/src/chocolatey.resources/tools/7z.exe -UseDefaultCredential -OutFile "$env:ChocolateyInstall\tools\7z.exe"
Invoke-WebRequest -UseBasicParsing -Uri https://cdn.rawgit.com/chocolatey/choco/1f8024c102cebe0cf2628cdab4e322416376036c/src/chocolatey.resources/tools/7z.dll -UseDefaultCredential -OutFile "$env:ChocolateyInstall\tools\7z.dll"

@brandonh-msft
Copy link

Got the e-mail alert for this, but I can't upgrade to 0.10.9 via -pre:

PS C:\WINDOWS\system32> cup chocolatey chocolatey.extension -y -pre
Chocolatey v0.10.8 Professional
Upgrading the following packages:
chocolatey;chocolatey.extension
By upgrading you accept licenses for the packages.
chocolatey v0.10.8 is the latest version available based on your source(s).
chocolatey.extension v1.12.11 is the latest version available based on your source(s).

@marcinbojko
Copy link

Same here, on this end.

@ferventcoder
Copy link
Member Author

Howdy folks - https://chocolatey.org/packages/chocolatey/0.10.9-beta-20180223 is still in moderation.

It will automatically approve in the next half hour to an hour - choco upgrade chocolatey -y -pre --version 0.10.9-beta-20180223 should get you it immediately.

@marcinbojko
Copy link

Magic works, thanks for the heads up. With puppet it will be a breeze ;)

@ferventcoder ferventcoder changed the title 7z.exe and RAR extraction RAR extraction with older 7zip can cause memory corruption / buffer overflows Mar 4, 2018
@ferventcoder ferventcoder changed the title RAR extraction with older 7zip can cause memory corruption / buffer overflows RAR extraction with older 7zip can cause memory corruption / buffer overflows (CVE-2018-5996 / CVE-2017-17969) Mar 4, 2018
@ferventcoder ferventcoder changed the title RAR extraction with older 7zip can cause memory corruption / buffer overflows (CVE-2018-5996 / CVE-2017-17969) RAR extraction with older 7zip can cause memory corruption / buffer overflows (CVE-2018-5996 / ZIP Shrink - CVE-2017-17969) Mar 4, 2018
@ferventcoder ferventcoder changed the title RAR extraction with older 7zip can cause memory corruption / buffer overflows (CVE-2018-5996 / ZIP Shrink - CVE-2017-17969) RAR extraction with older 7zip can cause memory corruption (CVE-2018-5996) / ZIP Shrink vulneratibility (CVE-2017-17969) Mar 4, 2018
@ferventcoder ferventcoder changed the title RAR extraction with older 7zip can cause memory corruption (CVE-2018-5996) / ZIP Shrink vulneratibility (CVE-2017-17969) RAR extraction with older 7zip can cause memory corruption (CVE-2018-5996) / ZIP Shrink vulnerability (CVE-2017-17969) Mar 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants