PeaZip 2.6.2
Posted on Friday, June 12 2009 @ 14:14 CEST by Thomas De MaesschalckFlexibe, portable, secure, and free as in freedom
Changelog:
Changelog:
- p7zip backend updated to 9.04 (Linux)
- tightened sanitization of input strings in PeaZip GUI, as security fix
against a class of possible attacks based on code injection (ref:
http://secunia.com/advisories/35352/
http://milw0rm.com/exploits/8881
original submission:
http://retrogod.altervista.org/). To attack previos releases an attacker
could build archives containing objects with nonvalid filenames, containing
concatenated commands in the filename "hidden" to the user by making the
filename very long with spaces to trick users in non reading the latter part of
the name. If unaware users had downloaded such archive and doubleclicked or
otherwise opened the archived file entry containing the concatenated command,
would have put in execution the command (with current user rights). Fixes:
- check file/dir names for:
- non-allowed characters (0..31)
- reserved characters
- reserved file names
- unusual spacing (5 consecutive or more, like in
7-Zip GUI), as may be intended to trick user hiding real
filename
- check command string immediately before execution for:
- non-allowed characters
- reserved characters for command concatenation (|<>),
not used by PeaZip GUI
- unusual spacing
- check file/dir names for:
Program Information Category: Tools and Utilities Type: Free Version: 2.6.2 Size: 4.76MB Works on: Windows Product page: here |
Loading Comments