Security issue due to use of 7z 9.20 binaries

[Omoronovo]

I decided to post this here due to there being few other places where this kind of issue can be brought to the attention of the developers. It has recently been discovered that 7z libraries prior to version 16.00 are vulnerable to many vulnerabilities with regards to malformed file handling and input validation. The advisory from Talos Security is here.

Although these latest vulnerabilities are somewhat more of a concern for mac users, any file format (including standard .7z/LZMA compressed files) can contain these file system images, and enable code execution at whatever privilege level the host application is run at, on any platform. This is a big issue for NMM since basically every mod is compressed (and hence, decompressed) via 7z within the program. Any one of the thousands of mods listed on the site could be harbouring an exploit to this - it wouldn't necessarily be detectable by antivirus or malware scanners if the exploit isn't inherently malicious - like adware or nagware.

I have replaced the z7 9.20 binaries in my own install of NMM with the 16.00 binaries and have had zero issues, but I have no idea if the API between these versions has changed, which is why I haven't attempted to update the codebase myself.

I'd appreciate if an active and knowledgeable developer could chime in on whether replacing the 9.20 binaries with the 16.00 binaries would cause any unexpected breakage.

Edit: Just to clarify, these issues affect every 7z library from version 4.59b onwards, which added UDF support.

[DuskDweller]

This was fixed with the release of 0.62 .