lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201509301104.t8UB4rAd020788@sf01web1.securityfocus.com>
Date: Wed, 30 Sep 2015 11:04:53 GMT
From: dev@...lab.com
To: bugtraq@...urityfocus.com
Subject: Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability

I am WinRAR developer. We published the official comment on www.rarlab.com here:
http://rarlab.com/vuln_sfx_html.htm

This "vulnerability" is a non-issue. Why attempting to find some hackish esoteric way for a feature, which presents in SFX archives officially. Any SFX archive can run contained executable files, it is required for installers. Any SFX archive just like any exe file and any software installer is potentially dangerous for user computers and must be started only if received from a trustworthy source.

Self-extracting archives are .exe themselves, one of their basic functions is code execution for executables stored in archives. They also allow to run any kind of web downloaders, because it is
needed for software installers. So that researcher discovered that self-extracting archives, which are exe themselves and designed
to be able to run contained exe, can actually run exe. No surprise here and no new risks for users. All associated risks are already present in standard SFX functions and exe design.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ