Remove ACE plugin due to multiple CVEs affecting decade old ACEv2.dll #90
Assignees
Comments
Far.exe itself can not open archives, that is done by plugins. If the standard Arclite plugin out of the box handles ACE format then yes, it is a problem. Otherwise it is not Far Manager's concern. |
Do you see ACEv2.dll anywhere in the distribution package? |
|
I'm sorry, I saw the ACE dll in the source repo (newarc plugin) and mistakenly assumed it's included in the default distribution. |
|
Newarc has never been released (and hardly will ever be), so it's nothing to worry about. However, we should probably remove the dll for good just in case. Thanks for reporting. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sorry if this was already reported/fixed in any of the russian language discussions.
Basically a serious RCE was discoverd in the ACE archive unpacking code, which can be triggered by simply opening an archive of this format in far.
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://www.bleepingcomputer.com/news/security/malspam-exploits-winrar-ace-vulnerability-to-install-a-backdoor/
The text was updated successfully, but these errors were encountered: