Total Commander

Forum - Public Discussion and Support
https://www.ghisler.ch/board/

UnAce Vulnerability

https://www.ghisler.ch/board/viewtopic.php?t=52041

Page 1 of 1

UnAce Vulnerability

Posted: 2019-03-09, 07:14 UTC
by Galiza
 
Hi, information from WinRar web site https://www.rarlab.com/rarnew.htm

WinRar 5.70 What's New
21. Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.

WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.
BTW, if InternalUnace=0 may i delete UNACEV2.DLL ?

Best regards :!: :!:
 

Re: UnAce Vulnerability

Posted: 2019-03-09, 08:26 UTC
by Horst.Epp
What about searching for this in the forum and not making the next thread about it ? :(

Re: UnAce Vulnerability

Posted: 2019-03-09, 14:14 UTC
by karlchen
Hello, Galiza.

The vulnerability affecting the DLL file unacev2.dll, which comes with Total Commander, has been discussed for the past few weeks. See e.g. this thread: Security problem in unacev2.dll.
Note, please, that Christian Ghisler is working on Total Commander 9.22 RC, which brings along a more secure unacev2.dll. The new unacev2.dll should prevent the vulnerability from being exploited in Total Commander. Work on fixing unacev2.dll is still in progress.

Best regards,
Karl

Re: UnAce Vulnerability

Posted: 2019-03-09, 14:20 UTC
by Galiza
2Horst.Epp

There is something wrong with forum search, try this

Open advanced search -> Search for keywords: Unace -> Limit results to previous: 6 Months
press search and you'll notice that it only appears one post THIS ONE, so please relax ok

2karlchen

Thanks :!:
 

Re: UnAce Vulnerability

Posted: 2019-03-09, 14:36 UTC
by Horst.Epp
Galiza wrote: 2019-03-09, 14:20 UTC 2Horst.Epp

There is something wrong with forum search, try this

Open advanced search -> Search for keywords: Unace -> Limit results to previous: 6 Months
press search and you'll notice that it only appears one post THIS ONE, so please relax ok

2karlchen

Thanks :!:
 
Why so complicated, just make a normal search for unace and you find all threads.
Searching for Keywords makes sense if you already know some real keywords.

Re: UnAce Vulnerability

Posted: 2019-03-09, 14:56 UTC
by Dalai
2Horst.Epp
I appreciate your contributions, but in this case you're wrong. Just searching for "unace" finds this thread and much older ones (from 2016 and 2012), but not the ones containing the discussion about the unace vulnerability. It seems like the forum search only matches complete words because "unacev2" finds the thread, but "unace" doesn't.

Regards
Dalai

Re: UnAce Vulnerability

Posted: 2019-03-09, 16:15 UTC
by Usher
Galiza wrote: 2019-03-09, 14:20 UTC There is something wrong with forum search, try this

Open advanced search -> Search for keywords: Unace -> Limit results to previous: 6 Months
press search and you'll notice that it only appears one post THIS ONE, so please relax ok
There is something wrong with your search understanding. If you're NOT sure about keywords, use wildcards: unace*
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited