Thanks, updated!

Thanks for the heads up broskie! +1 you saved me from a world of hurt.

was on 18.1.0 I am amazed they went to 18.5 right away.

I guess I don't get it... how can software that's used locally be a security exploit?

Thanks for the notice!

What you're uncompressing can fire off instructions to do things like run other programs or create hidden accounts in your Windows install.

Or at least that's how it looks to me when I skim the original post:

https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/

Stressing that I skimmed it.

What concerns me though looking at that page, the 7zip folks ignored the original report and didn;t acknowledge it until the CVE was filed.

In the case of stuff like 7z:

Create an archive with malicious code and a way that unpacking that archive crashes 7z in a way that the next instruction pointer of the CPU points at the malicious code already in memory. Exploits like this are really the bread-and-butter of hacking. Stuff like that has hit multiple archivers in the past, image viewers, anti-virus (also often with an unpacking crash hack - and esp. malicious since AV has system rights).

Also most rootings of game consoles worked with stuff like that: Controlled crashing of the original bootloader/OS to inject your own code.

Thanks for the explanation! I can see now why it didn't make sense to me; I don't just unpack any zip file. I'm not saying I'm perfect and that nothing can happen to me - but they make it sound so 'dramatic' because it's aimed at anyone.

Thanks for the headsup. Unlike "the name of *thefile* has been ~UPDATED~ to *the_file* featuring ~OVERLAY~" style updates, this is actually a real useful update :D

Thanks for the tip.

You may *bow*.

Nope, it was 18.01 and now 18.05 :p

Close enough haha

tom? ;)

thanks for the info!

Just noticed they have v9.3 alpha here where I'm working this weekend back from 2012.

Guess I better update it for them. I'm such a nice guy. :)