Skip to content

Bit7z v4.0.12

Latest
Latest

Choose a tag to compare

View all tags
@rikyoz rikyoz released this 15 May 17:25
Immutable release. Only release title and notes can be modified.
v4.0.12
9a43c9f
This commit was signed with the committer’s verified signature.
rikyoz Riccardo
GPG key ID: 3B09C10F3DB6E52A
Verified
Learn about vigilant mode.

⚠️ Security Update ⚠️

This security bugfix release fixes two CVEs reported by @Smarttfoxx:

CVE-2026-45380: An error in how bit7z restored symbolic links from archives allowed an attacker to craft an archive that, when extracted with bit7z on any non-Windows platform, could create a symlink escaping the intended output directory to at most the parent of the output directory. Subsequent archive entries extracted through this symlink would write arbitrary files to the parent of the extraction directory with the permissions of the extracting process.

Note

Windows is not affected: symbolic link restoration is not supported on this platform, at least for now.
On POSIX platforms, the traversal is bounded: an attacker can escape the extraction directory by at most one level.

CVE-2026-45384: When updating an archive, bit7z uses a temporary file with a predictable name (i.e., <archive_path>.tmp). This allowed an attacker with write access to the archive directory to pre-place a symlink with the same path as the temporary file but pointing to an arbitrary target file. When a process subsequently updates the archive, the library follows the symlink and overwrites the target with archive data.

Note

Successfully exploiting this vulnerability requires the attacker to already have write access to the directory containing the archive, which significantly limits the attack surface in practice.
Also, on Windows creating symbolic links (reparse points) usually requires admin privileges or Dev Mode to be enabled.

Updating to v4.0.12 is strongly recommended; sorry for the inconvenience.

Thanks to @Smarttfoxx for reporting these issues.

Changes from v4.0.11

  • Fixed CVE-2026-45380:
    • Newline characters within symlink target paths are now treated as valid, as they are on POSIX.
    • Embedded null characters in path strings are now correctly handled:
      • With BIT7Z_PATH_SANITIZATION=OFF, null characters are rejected and an exception is thrown.
      • With BIT7Z_PATH_SANITIZATION=ON, null characters are replaced with _, consistently with how invalid characters are handled on Windows.
    • Symlinks are now recreated with a target relative to the symlink's own parent directory, matching how the OS resolves them at runtime; the target is still validated to ensure it stays within the extraction output directory.
  • Fixed CVE-2026-45384:
    • When updating an archive in-place:
      • On POSIX, instead of opening <archive>.tmp directly, we first create a private temporary directory via mkdtemp (randomized suffix, 0700 permissions) and write the new archive as <tempdir>/data. Because the directory name is unpredictable and inaccessible to other users, an attacker with write access to the archive directory cannot pre-place a symlink at the temp file path.
      • On Windows, where mkdtemp is unavailable and creating symlinks usually require elevated privileges, the same predictable .tmp extension is kept but the file is opened without createAlways, so an already-existing file or symlink at that path causes a file_exists error and a retry with a numeric postfix (.tmp1, .tmp2, …, up to 65535 attempts; same behavior as 7-Zip).
      • In both cases, CFileOutStream now checks existence via fs::symlink_status rather than fs::exists, so dangling symlinks are also detected.

Other changes

  • Improved error messages:
    • Output archive paths without a filename component are rejected early with a clear error.
    • Updating a multi-volume archive now fails explicitly instead of silently creating a single-volume archive.
  • Refined and optimized path sanitization on all platforms.
  • Improved item path validation and sanitization in the extraction callback.
  • Moved long-path prefix formatting into SafeOutPathBuilder for better encapsulation.
  • Improved handling of various platforms' max path length.
  • Improved test coverage.

Full Changelog: v4.0.11...v4.0.12

This is a maintenance release. For a full changelog of the other changes introduced by bit7z v4, please check https://github.com/rikyoz/bit7z/releases/tag/v4.0.0.

Binaries built using the default options with Clang10, GCC 9, MinGW 8, MSVC 2015, 2017, 2019, and 2022 👇

Contributors

Smarttfoxx
Assets 25
Loading