Reference: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
Details: In short, both vulnerabilities affect the "full" implementation (i.e., 7zz and its library), which includes the NTFS parser. Implementations not using the NTFS parser (e.g., 7za and 7zr) aren't affected. Both vulnerabilities were silently fixed in 24.01 (beta). No advisory (or a related change log entry) issued. CVE-2023-52168: > The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains a heap-based > buffer > overflow that allows an attacker to overwrite two bytes at multiple > offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, > i=11, etc. This vulnerability would be very hard to exploit to gain code execution. CVE-2023-52169: > The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains an > out-of-bounds read > that allows an attacker to read beyond the intended buffer. > The bytes read beyond the intended buffer are presented as a part of a > filename listed in the file system image. This has security relevance in > known web-service use cases where untrusted users can upload files > and have them extracted by a server-side 7-Zip process. This over-read bug affects implementations that: - use 7-Zip as a library to process archives, and - run a single process to process archives from multiple (untrusted) sources, and - allow users to observe file names stored in their processed archives. (Otherwise, there are no obvious security implications.) Examples include online tools to convert/extract archives. At least one online service was affected by this vulnerability: i.e., it allowed a remote attacker to leak chunks of data from a server-side process. Timeline: * 2023-08-18: the vulnerability was reported to Igor Pavlov. * 2024-01-31: a fixed version (24.01 beta) is available.
