Page 1 of 1
With the new 7zip exploit arent we also at risk?
Posted: May 14th, 2016, 12:04 pm
by ceroz
Since Sabnzbd uses the command line version of 7zip for 7zip support arent we also at risk because of this vulnerability? Couldn't an attacker upload a 7zip archive with the exploit and post it as a tv episode causing sickbeard/sonarr users to automatically download it then trigger off the 7zip extraction?
Re: With the new 7zip exploit arent we also at risk?
Posted: May 14th, 2016, 1:38 pm
by shypike
You mean this report?
http://blog.talosintel.com/2016/05/mult ... ities.html
We'll upgrade the next release to the latest 7zip binaries.
Linux users should update outside of SABnzbd.
Re: With the new 7zip exploit arent we also at risk?
Posted: May 14th, 2016, 1:42 pm
by ceroz
yes, thank you
Re: With the new 7zip exploit arent we also at risk?
Posted: May 14th, 2016, 2:06 pm
by shypike
Looking at the description, it seems to be about HDF/UDF support.
SABnzbd will only send .7z files to 7zip.
For OSX there's no updated 7zip anyway.
Version 9.20 (which we include) does not contain the HFS issue.
It does contain the UDF issue, but if we add the parameter -t7z
the 7zip tool will refuse to process any .7z file which isn't in 7ZIP format.
This means that an attacker can rename a dangerous .udf file to .7z,
but then 7zip will refuse to process it.
This should be enough to cover the problem for now.