Two vulnerabilities recently patched in 7-Zip could put at risk of compromise many software products and devices that bundle the open-source file archiving library.

The flaws, an out-of-bounds read vulnerability and a heap overflow, were discovered by researchers from Cisco's Talos security team. They were fixed in 7-Zip 16.00, released Tuesday.

The 7-Zip software can pack and unpack files using a large number of archive formats, including its own 7z format, which is more efficient than ZIP. Its versatility and open-source nature make it an attractive library to include in other software projects that need to process and deal with archived files.

Previous research has shown that most developers do a poor job of keeping track of vulnerabilities in the third-party code they use and that they rarely update the libraries included in their projects.

"7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today," the Cisco Talos researchers said in a blog post. "Users may be surprised to discover just how many products and appliances are affected": http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

A search on Google reveals that 7-Zip is used in many software projects, including in security devices and antivirus products. Many custom enterprise applications also likely use it: https://www.google.com/search?q=%227-Zip+Copyright%22&sourceid=ie7&rls=com.microsoft:en-US:%7Breferrer:source%7D&ie=UTF-8&oe=&gws_rd=cr&ei=-Is0V87AIYisswGb8qBA#safe=off&q=%227-Zip+Copyright%22

The out-of-bounds read vulnerability, tracked as CVE-2016-2335, stems from 7-Zip's handling of Universal Disk Format (UDF) files, while the heap overflow condition, CVE-2016-2334, can occur when handling zlib compressed files.

To exploit the flaws, attackers can craft specially crafted files in those formats and deliver them in a way that would cause the vulnerable 7-Zip code to process them.

(PCW)