Chocolatey is shipped with a vulnerable 7zip #1556
Comments
|
@Skons you understand responsible security reporting right? |
|
Just because Chocolatey is open source, you should probably let us know privately so we can fix the issue - especially since it was just announced like yesterday. |
|
https://chocolatey.org/security for next time. Please follow proper procedures for something like this. |
|
I'm totally sorry for this, i thought i was doing this the right way. |
|
No worries - security issues are sensitive. That's why that article had dates listed for when they found the vulnerability, let the vendor know and all of that before it became public. Timeline of Disclosure |
|
@Skons it's no worries, and it did point out a gap in issue reporting process. Now we have it in the issue template to help folks down the right path. We'll get this fixed and pushed out soon. |
|
"This" being fixing the vulnerability. |
|
Duplicate of #1557 |
|
I know this sounds weird to have a duplicate in a newer issue, but @gep13 must have thought this was on the chocolatey.org repo and created the new issue to point to as part of his pull request. 😄 |
|
@ferventcoder yeah, I had a bit of a noob moment, where I forgot about this issue when I was working through the process of doing the actual update. I had already created the commit, and referenced the new issue, so I thought I would leave it and hope nobody noticed 🎉 |
|
When doing the paperwork, it always comes up ;) |
Chocolatey is shipped with 7zip version 18.1.0.0 which allowes remote code execution. While i doubt it is easily abused in the context of chocolatey or the choco packages, users that do not have full blown execution rights on a machine could abuse this vulnerable 7zip executable. Can a new choco version be published with an updated 7zip version?
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
The text was updated successfully, but these errors were encountered: