7-Zip Quietly Fixes Security Vulnerability Without Announcement, Other 7z-Based Compression Software Also Need Updates

Security researcher @msuhanov revealed on June 19 that the popular open-source compression manager, 7-Zip, has addressed a buffer overflow issue, CVE-2023-52168, in its 24.01 beta version. Another vulnerability, CVE-2023-52169, involving excessive buffer reading, shares mechanisms with a memory leak flaw found in the Linux ntfs3 driver.

The vulnerabilities were responsibly disclosed to developer Igor Pavlov by the researcher. However, recent update logs failed to mention any related fixes, though analysis confirms that 7-Zip 24.01 beta has indeed been patched.

These vulnerabilities pose a relatively minor threat to local users, such as allowing an attacker to process multiple untrusted documents with a single process. Yet, the implications could be severe on servers, where attackers could potentially steal vast amounts of data from remote servers.

Developers utilizing 7-Zip on servers for tasks like online decompression or previewing compressed file packages could be at risk of data breaches, making the vulnerabilities significantly concerning.

The controversy primarily revolves around why the developer chose not to mention the vulnerability in update logs or release any security announcements. The vulnerabilities, initially discovered on August 18, 2023, and reported to the developer the same day, were patched in the 7-Zip v24.01 Beta release on January 31, 2024. Subsequent versions, including the latest 24.07, have also addressed the issue.

The lack of communication and failure to issue a security bulletin have raised concerns among some members of the open-source community, potentially increasing the risk of exploitation.

Pavlov’s rationale for not publicizing the vulnerability was to avoid increasing the risk of attacks. However, by June 19, when the security researcher published their blog, the vulnerability had been known for 272 days, and the patched version had been available for 106 days.

This reasoning has been criticized as flawed and potentially harmful since not making an announcement may not sufficiently alert users, especially developers, thereby slowing the update rate. If hackers also discovered the vulnerability, they could expand their attack surface.

Thus, the decision to remain silent is seen as unwise, leaving both security researchers and the open-source community baffled by the lack of transparency.