7-Zip compression program,software contains a severe vulnerability.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29072

Apparently, the CVE it's disputed...

 

What are the best alternatives to this program besides WinRAR? I'm curious if I should try something else.

 

. ARJ

 

Just keep using this program. Just because there is vulnerability doesn't mean you can trigger it in practice. The fact there is even a dispute means it's far than straightforward to trigger it.

 

There is no exploitable issue here, the reportee is actually trying to profit on a vulnerability that doesn't exist.

 

I was thinking that some program could offer an overall improvement, or is 7-zip just strictly the best?

 

Winrar and 7zip are pretty much the best you can get. Winrar is actually better, because you can customize it more and you can add recovery informations on the archive created. Also, I noticed that if you wants to pack a series of images in a cbr/cbz file (the format used to read the digital comics), 7zip gives errors, while winrar always work (the process needs to create a zip archive saved with the extension cbr or cbz).
I tried winzip and it's improved a lot and has also the ability to use the gpu acceleration. I was able to compress very big folders full of files in few seconds compared to 7zip, using a RX480. But at the moment the best level of compression needs the file format .zipx, that it's not supported by 7zip. Also, I find it difficult to customize the right click menu explorer.

The best would be a winrar build with opencl acceleration support.

 

Just take a look at Sourceforge discussion - it totally looks like a scam
https://sourceforge.net/p/sevenzip/bugs/2337/

Help file viewer executes a file... great - you could drag CMD with virtually the same effect.
Priv escalation - without 7-zip process running as system, you can hardly think of 7-zip exposing system user.

 

I don't even know what's supposed to be 7-zip's "help page" and why I should drag'n'drop files there in the first place. So, regardless of the exploit being real or not, it seems pretty safe.

 

The constant fire alarms for clicks that all these sites do with vulnerabilities is getting REALLY annoying. Especially since I'm a sysadmin.

Some brainless exec reads an article and thinks the end of the world is coming. Let's rush a patch out by today without testing!

 

If the vulnerability is real, you first need to have access to the system before you could use it which is too little too late. This is only dangerous if you have users who could gain administrator rights on a system they have limited access to.

 

It might be relatively harmless to you and me but any evil sub-admin, any unsatisfied employee with modest skills etc.. those just need any easy to use lever to wreck havoc.

Better save than sorry.

 

According to the discussion on sourceforge it "might" be a vulnerability with the windows compiled help viewer hh.exe , not 7z itself
Essentially 7z uses the windows default app to display its help . The 7zip help comes in the form of an chm file (compiled html) .
CHM has being declared as deprecated already in the past by microsoft, but still they use it themselfs alot , because its quite a handy and compact format.

So if the user has the .CHM filetype assigned to be handled by the default program ( hh.exe - this is the default in vanilla windows i think, but i'm not quite 100% sure ), pressing F1 in 7zip opens the help using that said hh.exe.
The user then can drag a specifically created, malicious html file onto the Help viewer ( hh.exe , i repeat this is a Windows program - i'm not sure if it comes with windows by default),
hh.exe can execute the malicious code in that html file ( if your current user runs with the required privileges )
So inshort:
this is a hh.exe / windows vulnarbility if its a vulnaribility at all
of course you can do the same using a powershell script or dos batch file and have it execute commands according the the users privileges
Just a pretty blown out of proportions case of captain obvious, if you ask me ...

 

I don't like that the app requires admin rights to be installed (and try to avoid this when there is an Unknown verified publisher). As a workaround I always install 7-zip with following command and no admin rights:

msiexec /i 7z2107-x64.msi INSTALLDIR=%USERPROFILE%\7-Zip\ MSIINSTALLPERUSER=1

 

HH is the only chm viewer that works properly.

 

Still using and have been using WinRar for decades. Going 7-zip would feel like cheating on my partner.

There are pretty neat skins for it as well.

 

it's open source. some restrictions apply for the unrar code "thanks" to winrar (but this is for every archive management software that support winrar archives)

 

Powerarchiver.