In light of the recent CVE raised against 7-Zip, we wanted to provide reassurance to our customers and community. The CVE confirms that it covers all versions up to and including 21.07, the version that is used in Chocolatey CLI. As the 7-Zip components that are bundled with Chocolatey CLI are not those stated in the CVE, Chocolatey CLI is not affected.
CVE-2022-29072 Details
The CVE states:
NOTE
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process,
The CVE author created a GitHub repository that shows the use of the 7-Zip help file, 7-zip.chm
, and a .7z
archive file to gain escalated privileges on the system. To exploit a system, the user must open the 7-Zip help and drop a .7z
archive file onto the open help file. This is not something that a user would do in the normal process of working with 7-Zip.
Is Chocolatey CLI Vulnerable?
If you browse the tools
folder in the Chocolatey installation directory (by default this is C:\ProgramData\chocolatey
) you will see that Chocolatey CLI does not ship with the 7-Zip help file, 7-zip.chm
or the 7zFM.exe
file that are required by the CVE. Chocolatey CLI is therefore not affected by this CVE.
7zip
Chocolatey Package
The latest version of the 7zip
Chocolatey package is 21.7 which is vulnerable according to the CVE. Once 7-Zip have released a new version, the 7zip
package will be automatically updated and pushed to the Chocolatey Community Repository by the package maintainer.
Note that the 7zip
Chocolatey package removes the leading zero from the version number therefore 7-Zip version 21.07 is the 7zip
Chocolatey package version 21.7.
Recommendations
The CVE author suggests that the 7-Zip help file, 7-zip.chm
, is removed from the file system. By default, 7-Zip installs to C:\Program Files\7-Zip
. This will stop the help file from being displayed which means that you cannot drag and drop a .7z
archive file onto it.
If further information, or recommendations become available we will update this post.
Summary
We hope this post reassures our customers and community that Chocolatey CLI is not vulnerable to the recent CVE for 7-Zip and why it is not vulnerable.
For Security related issues, please see our documentation for responsible disclosure. If you are a licensed Customer with valid Maintenance and Support, then please do reach out to Support (run choco support
to find out your options) or use our Community Discord Chat if you have further questions.
Popular Tags
- #news 72 Number of post with tag news
- #press release 57 Number of post with tag press release
- #chocolatey for business 46 Number of post with tag chocolatey for business
- #packaging 21 Number of post with tag packaging
- #open source 17 Number of post with tag open source
- #community 15 Number of post with tag community
- #tutorial 14 Number of post with tag tutorial
- #12 days of Chocolatey 2023 12 Number of post with tag 12 days of Chocolatey 2023
- #chocolatey community repository 12 Number of post with tag chocolatey community repository
- #podcast 12 Number of post with tag podcast