Zip

Boycott 7-zip: "Limited" Open Source & Security Issues

Manish

Manish, Paul Nixer

2 min read
Boycott 7-zip: "Limited" Open Source & Security Issues
Photo by Luca Bravo / Unsplash

"Limited" Open Source

7-zip developed by Igor Pavlov, first release happened in far 1999. Licensed under LGPL-2.1-or-later, but one detail: you can't find the actual sources on Github, Gitlab, nor any public code hosting, only src.7z on official Sourceforge page. No history, no committers, no names, no documentation, just an archive.
Also, if you need to compile 7-zip by yourself - some tweaks are inevitable. So why tweaks needed and no commit history? Just because the author doesn't want you to build app from source code and some parts, probably, not included or included with some "special" bugs. With commits history, it's easier to track any change and revert any wrong parts; also easier to ship hidden dark elements like hidden telemetry or backdoors.

Security issues

  • CVE-2022-29072 not fixed yet
  • multiple vulnerabilities in the past:
    • the author ignores /GS Buffer Security Check flag
    • also ignore /DYNAMICBASE flag because he prefers to ship the binaries without relocation table to achieve "a minimal binary size" - just LOL. Trade few Kbs for security in 2018??? It's mind-blowing.
    • Remote Code Execution, just a year later

According to user reports in the comments, the flags were added nearly a year later and the author said "...No time for these things now. Maybe later I’ll look it. I still use old compiler for 32-bit version".

Also, installer seems unsigned, and has never been signed. Strange story, 'cause the certificate verify the vendor and prevents software installation from bad guys.

Sourceforge - hosting with not the best reputation

Sourceforge was accused to include spyware and malware to Windows .exe files and self-extraction files, they called it "Coupling "third party offers" with unmaintained SourceForge projects", perfect addition to the missed 7-zip certificate, don't you? SourceForge has changed owners since then, but the reason to check carefully an every SF download is still here.

#StandUpForUkraine

Russia attacked Ukraine and is inciting genocide right now. Better not to use russian software, not just from solidarity with Ukraine; the software can also add advanced security risks. Here's the example: hackers under Moscow control used JetBrains tools to take control of SolarWinds company servers.

Alternatives

For Windows - PeaZip(works on macOS and Linux too), (NanaZip)[https://github.com/M2Team/NanaZip]; for Linux & macOS default apps doing the job. Maybe Unarchiver worth a try for macOS. Also check Zstd (Zstandard), Open Source compression algorithm with very good results and performance, quite comparable with 7z and even better in several benchmarks.

Read more