nLite Security Advistory

[yngdiego]

I just installed the Secunia Personal Software Inspector and it found a problem with a file included with the latest nLite beta.

--Technical details

Technical details about this installation of 7-Zip 4.x, you can use this information to determine why the Secunia PSI detected the program and the security state of it.

Version Detected:

4.42.0.0

Installation Path:

c:\Program Files (x86)\nLite\7z.exe

The non-vulnerable version is 4.57. Please include the non-vulnerable version in the next release.

[WHPratt]

I'm getting the same error message from Secunia.

[eddie11013]

all this means is that the one used by nlite, when the latest edition was created, included the older 7z version. As we all know these different versions are updated all the time. Not to worry. If you don't want the 7z included in nlite, I would assume you can either, uninstall nlite or 'replace' the older version of 7z with the newer version. Haven't tried the latter, but it should work.

hope this helps.

[dZeus]

According to Secunia PSI (www.secunia.org), the latest version of nLite contains a vulnerability in the included 7-Zip Standalone Console Decompressor. Will this component be updated to include a version that doesn't have the known vulnerability?

[Ponch]

Can you explain that vulnerability ?

If the tool is only used to unpack trusted files, it doesn't matter much.

[mara-]

I'm not sure if Nlite use 7-zip console at all. Because 7-zip console requires 7z.dll and 7-zip.dll to work.

Cheers

[dZeus]

Can you explain that vulnerability ?

If the tool is only used to unpack trusted files, it doesn't matter much.

I'm not sure what the impact factor is of this vulnerability, details aren't disclosed on secunia.org. Just that "The vulnerability is reported in versions prior to version 4.5.7". My reasoning is that when it's easy to prevent running an unknown risk, why not do so (upgrade the 7-zip executable)?

[nuhi]

Merged those 2 topics.

This 7z exe is a special compile including stuff that is needed. Gonna see about updating it but this is so trivial, who cares if it is vulnerable, we just use it to decompress addons.