The developer behind the popular archiving software 7-Zip has addressed a buffer overflow vulnerability and an out-of-bounds read flaw without notifying users or including the fixes in the release notes. Security researcher Maxim Suhanov disclosed these issues, which were patched in the 24.01 beta version released earlier this year.
The two vulnerabilities were identified by Suhanov, who reported them to 7-Zip developer Igor Pavlov in August 2023. Suhanov recently made the details public.
The first vulnerability, CVE-2023-52168, concerns a buffer overflow in 7-Zip’s NTFS handler. Buffer overflows occur when a program writes more data to a buffer than it can hold, potentially allowing attackers to overwrite adjacent memory and execute arbitrary code. In this instance, the overflow could theoretically enable code execution, although Suhanov notes it would be “very difficult to exploit.” To leverage this vulnerability, an attacker would need to trick a user into opening a specially crafted malicious archive file.
The second vulnerability, CVE-2023-52169, is an out-of-bounds read in the same NTFS handler. This flaw allows reading beyond the allocated buffer, which could expose sensitive information. Such vulnerabilities are particularly concerning for web services where 7-Zip processes files uploaded by users, potentially leaking data across different user sessions.
Patch and response
Both vulnerabilities were fixed in the 24.01 beta version of 7-Zip, released on January 31, 2024. However, these fixes were implemented quietly, without any advisory or related changelog entries. Suhanov expressed concern over this lack of transparency, stating, “Both vulnerabilities have been quietly fixed. No advisory (or related changelog entry) has been issued.”
The 7-Zip website and the official changelog do not mention these security issues or their resolution, which raises questions about communication practices regarding security patches in widely used software. While 7-Zip’s developer has addressed these vulnerabilities, the lack of transparency in the process is concerning.
