Die Opensource Archivierungssoftware, 7-Zip, hat ein Update erhalten, dass die Sicherheitslücke CVE-2018-10115 schließen soll. Die Release Notes listen die Änderungen seit 18.01. auf:
7-Zip ab 18.01 Relase Notes
- The speed for single-thread LZMA/LZMA2 decoding
was increased by 30% in x64 version and by 3% in x86 version. - 7-Zip now can use multi-threading for 7z/LZMA2 decoding,
if there are multiple independent data chunks in LZMA2 stream. - 7-Zip now can use multi-threading for xz decoding,
if there are multiple blocks in xz stream. - The speed for LZMA/LZMA2 compressing was increased
by 8% for fastest/fast compression levels and
by 3% for normal/maximum compression levels. - 7-Zip now shows Properties (Info) window and CRC/SHA results window
as “list view” window instead of “message box” window. - Some improvements in zip, hfs and dmg code.
- Previous versions of 7-Zip could work incorrectly in “Large memory pages” mode in
Windows 10 because of some BUG with “Large Pages” in Windows 10.
Now 7-Zip doesn’t use “Large Pages” on Windows 10 up to revision 1709 (16299). - The vulnerability in RAR unpacking code was fixed (CVE-2018-10115).
- Some bugs were fixed.
- New localization: Kabyle.
Quelle: https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/
Achtung einige Webseiten informieren über eine weitere generelle Lücke in 7-Zip. Demnach ist es einem Angreifer möglich, auf Grund der Art der Installation von 7-Zip, ein DLL-Hijacking durchzuführen. Dabei werden wichtige .dll Dateien bei der Installation ausgetauscht und der Angreifer erhält administrative Berechtigungen.