7-Zip, a popular open-source file archiving application used to compress and decompress files, has issued patches for input validation vulnerabilities that can lead to remote code execution. The flaws, both discovered by researcher Marcin Noga, are especially worrisome because 7-Zip business customers, which include vendors of security devices and antivirus solutions, many not be aware that they're using exploitable libraries, explained Cisco's research division Talos in a blog post yesterday.
The first flaw is an out-of-bounds read vulnerability that effects how 7-Zip handles Universal Disk Format (UDF) files – a format for DVD-Video and DVD-Audio. The second is described in the blog as “an exploitable heap overflow vulnerability that exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip.”
“Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications' security,” the blog post concluded.
The latest upgrade to 7-Zip, version 16.00, contains patches for these flaws.