Software Update: PeaZip 2.6.2

Version 2.6.2 of PeaZip was released on Friday. PeaZip is an open source licensed archiving program that seeks to differentiate itself from the competition by specializing in security. Encrypting data is therefore the spearhead of our own pea format. The program can create 7z, bz2, gz, paq/lpaq, pea, quad, tar, upx and zip files and extract various file formats including ace, arj, cab, deb, iso, lha , rar and rpm. In this release, the Linux-backed version has now also been updated to version 9.04 of p7zip and a security issue has been fixed:

Changes in version 2.6.2:

  • p7zip backend updated to 9.04 (Linux)
  • tightened sanitization of input strings in PeaZip GUI, as security fix against a class of possible attacks based on code injection (ref: http://secunia.com/advisories/35352/ http://milw0rm.com/exploits/8881 original submission: http://retrogod.altervista.org/). To attack previos releases an attacker could build archives containing objects with nonvalid filenames, containing concatenated commands in the filename “hidden” to the user by making the filename very long with spaces to trick users in non reading the latter part of the name. If unaware users had downloaded such archive and doubleclicked or otherwise opened the archived file entry containing the concatenated command, would have put in execution the command (with current user rights). Fixes:
    • check file/dir names for:
      • non-allowed characters (0..31)
      • reserved characters
      • reserved file names
      • unusual spacing (5 consecutive or more, like in 7-Zip GUI), as may be intended to trick user hiding real filename
    • check command string immediately before execution for:
      • non-allowed characters
      • reserved characters for command concatenation (|), not used by PeaZip GUI
      • unusual spacing

Version number 2.6.2
Release status Final
Operating systems Windows 2000, Linux, Windows XP, Windows Server 2003, Windows XP x64, Windows Server 2003 x64, Windows Vista, Windows Vista x64, Windows Server 2008
Website SourceForge
Download http://peazip.sourceforge.net/
File size 4.67MB
License type GPL
Comments
Loading...