Hacker News new | ask | show | jobs
by dragontamer 2992 days ago
So, as much as I hate to hate on somebody here, Igor is... somewhat unreliable with regards to these issues.

Igor is infamous for disabling virtually every setting. 7-Zip has no ASLR, compiler-stack checks, or anything what-so-ever. Igor refuses to use a modern VC++ (Visual Studio 2015 and later have FREE versions available for open-source code) that would solve a lot of security issues and bugs.

I'm not entirely sure if this is a Win10 problem, or if its a 7-Zip problem. Any complaints from the 7-Zip dev IMO will require a very careful eye: 7-Zip code is not necessarily in the cleanest state or using the best practices.
3 comments
AnIdiotOnTheNet 2991 days ago
And yet it is about 100x as useful as most free software that does. One wonders whether that is coincidence or correlation.

I don't know Igor, but if 7z is anything to go by then he probably uses VC--I'm guessing here--6 for the same reason Sean Barrett does: It's way faster and less bloated than modern VS. I'm also guessing he doesn't use those security features because they're largely ineffective and just complicate things and slow them down.

I'm sure many will argue the last point, but it's hard to imagine that that mindset doesn't play a role in 7-zip being as great a utility as it is.

link
dragontamer 2991 days ago
There's a big difference between quality code and being a cowboy.

> I don't know Igor, but if 7z is anything to go by then he probably uses VC--I'm guessing here--6 for the same reason Sean Barrett does: It's way faster and less bloated than modern VS.

Then they should learn how to download the SDK and learn to use the command line to properly compile code with proper ASLR and other such security features. Keep working in VC 6.0 if you want, but for the love of all things good please enable basic ASLR.

Its 2018. Its time to get with the program. Various solutions (or at least... mitigations) to buffer overflows and code execution bugs have been discovered in the last 20 years. Yes, VS 6 was released in 1998. My use of the phrase "20 years" is literal.

Its shameful that a dev of one of the most popular open source tools out there doesn't care about security.

--------------

In any case, Igor runs his dev environment from 20 years ago. If someone was compiling code with GCC 2.95 (released 2001, three years after his version of VS), the first response from Linus Torvalds would be "Dear lord, please upgrade your compiler. I'm not going to ensure compatibility with 18-year old tech".

> I'm also guessing he doesn't use those security features because they're largely ineffective and just complicate things and slow them down.

ASLR is ineffective? Really?

https://www.cisecurity.org/advisory/multiple-vulnerabilities...

https://landave.io/2018/01/7-zip-multiple-memory-corruptions...

The freaking executable doesn't have the freaking "NX Bit". We're talking about the most barebone basics of security here.

No ASLR. A lack of NX Bit. Pretty much any security feature discovered in the last 20 years is missing from 7zip. Its actually one of the worst offenders of security I've ever seen in 2018.

link
dmitrygr 2991 days ago
counterpoint: please cite a single arbitrary code execution vulnerability that was found in 7z.exe
link
dragontamer 2991 days ago
Your wish is granted?

https://www.cvedetails.com/cve/CVE-2016-2334/

I mean, there are easy databases to look for these sorts of questions...

link
dmitrygr 2991 days ago
Looks like that exploit will not work on x64 builds (the only thing anyone should be running in 2018) due to DEP
link
dragontamer 2991 days ago
https://twitter.com/wdormann/status/955802146045353985

DEP would be nice, wouldn't it?

IIRC, Igor finally added DEP a few months ago (NXCOMPAT if you need to google the Internet Drama). But the fact that he was running this code without lol DEP until January of THIS YEAR makes me suspect his coding practices.

As per this other page:

https://landave.io/2018/01/7-zip-multiple-memory-corruptions...

> I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size. At least he will try to enable /NXCOMPAT for the next release. Apparently, it is currently not enabled because 7-Zip is linked with an obsolete linker that doesn’t support the flag.

This is bad. Very very bad. This should not have been happening in 2018. He wants to save literally ~kilobytes of .exe space instead of use ASLR. Igor is not someone who seems to take security seriously.

----------------------

In any case, there are ways around DEP. Which is why ASLR exists, and other such flags. Enabling DEP brings 7-zip into the year 2003 (when x86-64 was first released by AMD) level of security, but there are other security threats that are addressed with these other compiler flags.

link
TwoBit 2991 days ago
You're criticizing him for disabling performance-lowering features for a software program that lives and dies in reviews by its performance?

And what does "anything what-so-ever" mean? If he does static analysis on the code and runtime analysis (e.g. the valgrind type), I don't expect that Microsoft's runtime checking will do much more in practice.

None of what you point out really speaks about the quality of his code. Does he have a history of security issues and bugs that's significantly different from others?

link
dragontamer 2991 days ago
> You're criticizing him for disabling performance-lowering features for a software program that lives and dies in reviews by its performance?

Oh come on. The Linux Kernel also "lives and dies" based on its performance. Despite being one of the highest performance codebases ever written, Linux is still ASLR'd, Meltdown-patched, TLB-flushed and Reptoline-protected to all hell to mitigate against theoretical threats.

Web Browsers also live and die by performance numbers. Look at all of those Javascript benchmarks and shootouts that happen. And yet, web browsers are also taking advantage of the latest and greatest security features available on any OS they're deployed on.

Because security matters. And often, it matters more than performance.

7-Zip's DLLs / code are used as plugins everywhere. Not just in Windows 7z.exe, but also on Fedora Core, Ubuntu Linux, and more. There comes a point where we as a community have to recognize that security matters more than performance.

In most cases, there's a happy medium. I'm not necessarily saying that 7z needs to sandbox itself like Chrome, or needs to spin itself into a VM and isolate itself like MS Edge App Guard. Nor does it need to be Spectre-hardened with reptolines like the Linux kernel. All I'm saying that 7z should at least be compiled with the freaking DEP / NX flag and ASLR. Neither of these have major performance flaws and have HUGE security benefits. Is that seriously too much to ask?

Besides, ASLR + DEP/NX flags are the default compile option flags for the last 15 years. Most software uses these flags with no issues.

link
opencl 2991 days ago
Are there any other decent archiver programs for Windows? Explorer has had built in unzip functionality for a while but it's ridiculously slower than 7-Zip.
link
TheWiseOne 2991 days ago
I looked a while ago to find alternatives when some of these issues came up a while ago but I haven't found any other viable alternatives. I thought PeaZip might be a good option until finding out that it is also based on 7-Zip.

The one tool that I did find useful during this search though is https://github.com/ImminentFate/CompactGUI.

Apparently in Win10, Microsoft introduced a compact.exe commandline tool that transparently compresses files/folders. The above tool is a GUI for it. It's not a replacement for a proper archiver but it's a nice tool to compress things like games and other large programs that need to stay in place.

link
dragontamer 2991 days ago
Honestly, I dunno. I've been using 7-zip for as long as I can remember. It wasn't until recently when I learned about about the lack of ASLR / NX bits / etc. etc in the program.

I can understand Igor like... not knowing about these features or whatever. But its been months / years since he was notified about security and yet he doesn't take any corrective steps.

I'm seriously considering to pay for WinRAR. No joke.

link