[ / / / / / / / / / / / / / ] [ dir / choroy / dempart / his / jenny / komica / vg / vp / xivlg ]

/tech/ - Technology

Winner of the 75nd Attention-Hungry Games
/caco/ - Azarath Metrion Zinthos

March 2019 - 8chan Transparency Report
Email
Comment *
File
Password (Randomized for file and post deletion; you may also set your own.)
* = required field[▶ Show post options & limits]
Confused? See the FAQ.
Flag
Oekaki
Show oekaki applet
(replaces files and can be used instead)
Options

Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf
Max filesize is 16 MB.
Max image dimensions are 15000 x 15000.
You may upload 3 per post.


 No.1033937

>Popular Windows data compression tool WinRAR has patched a serious 19-year-old security flaw that was discovered on its platform, potentially impacting 500 million users.

>The path-traversal vulnerability, which WinRAR fixed in January, could allow bad actors to remotely execute malicious code on victims’ machines – simply by persuading them to open a file, researchers with Check Point Software said on Wednesday.

>“We found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer,” said Nadav Grossman with Check Point in the analysis. “The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.”

>Researchers specifically found a path-traversal vulnerability in unacev2.dll, a third-party dynamic link library in WinRAR used for parsing ACE (a data compression archive file format) archives.

>When taking a closer look at unacev2.dll, researchers found that “it’s an old dated dll compiled in 2006 without a protection mechanism. In the end, it turned out that we didn’t even need to bypass them,” said Grossman.

>Due to the lack of protections and support for unacev2.dll, researchers were able to easily rename an ACE file and give it a RAR extension within unacev2.dll. When opened by WinRAR, the fake ACE file containing a malicious program is extracted to the system’s startup folder – so the program would automatically begin running when the system starts.

>On an update on its website, WinRAR said: “WinRAR used this third-party library to unpack ACE archives. unacev2.dll had not been updated since 2005

<and we do not have access to its source code.

>So we decided to drop ACE archive format support to protect security of WinRAR users.”

>The PoC makes use of a chain of vulnerabilities (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253).

https://threatpost.com/winrar-flaw-500-million-users/142080/

https://research.checkpoint.com/extracting-code-execution-from-winrar/

 No.1033942

>unacev2.dll was created by Marcel Lemke, the original developer of the ACE archive format

>under a "restrictive open source" license

Where is Marcel Lemke (Check Point didn't mention nor contact him at all) currently?


 No.1033948

>>1033942

wikipedia

>In computing, ACE is a proprietary data compression archive file format developed by Marcel Lemke,

<and later bought by e-merge GmbH

>WinAce, maintained by e-merge GmbH, is used to compress and decompress ACE files under Microsoft Windows.

>When installed, it lets the user choose between paying for a registration

<or installing WhenU SaveNow adware

lol

>An older version of an Unace 1.2b is free software and licensed under the GPL by the author Marcel Lemke, but it cannot extract ACE archives from version 2.0 and newer.[1]

https://packages.debian.org/stable/utils/unace

I don't see any upstream source listed at

https://tracker.debian.org/pkg/unace

or maybe i'm just blind

>A newer version of Unace 2.5 that supports ACE 2.0 archives is available under a restrictive open source license, also by Marcel Lemke.[2]

https://packages.debian.org/stable/utils/unace-nonfree

this lists downstream as

http://www.winace.com/

which doesn't work, page says "under construction"

what the hell is the upstream even? it looks like it's just some random dude maintaining the GPL version

https://metadata.ftp-master.debian.org/changelogs/non-free/u/unace-nonfree/unace-nonfree_2.5-8_copyright

"Comment:

The original source code was obtained by mail from the upstream author

Marcel Lemke <mlemke@winace.com>."

they don't even publish the source code debian got it in an email?

https://metadata.ftp-master.debian.org/changelogs/non-free/u/unace-nonfree/unace-nonfree_2.5-8_changelog

the last changelog that actually changed any code was 2007 everything else is just debian bs


 No.1033949

>>1033948

>this lists downstream as

>http://www.winace.com/

*meant to say upstream

the only place i can even find winace is adware/aids infested shareware sites


 No.1033952

>>1033948

Maybe you can contact Fabian Greffrath for the whereabouts of the unace 2.5 source code in his computer.


 No.1033953

>>1033949

>>1033948

There only seems to be an archive:

https://web.archive.org/web/20170714193504/http://winace.com/

which is so broken that you have to set height:100% to the <iframe> so that you can view it.

http://www.emerge.de shows the same "under construction" message, so who knows.

The better question is: What happend to e-merge GmbH? Did they run out of license cash or are they restructuring?


 No.1033954

>WinRAR

Neither WinRAR nor 7zip have anything to do with ACE compression.

Misleading title.


 No.1033955

I'm old enough to remember when buying WinRAR was a meme.


 No.1033956

>>1033955

You won't find anyone who can't remember that.

Every YT-Video was like: Unpack it with WinRAR *buy WinRAR license window pops up*


 No.1033957

>>1033953

>What happened to Marcel Lemke and e-merge GmbH?

ftfy

Some kraut help is appreciated.


 No.1033958

>>1033954

>WinRAR has nothing to do with ACE compression

>WinRAR chose to support ACE compression inside of WinRAR using a dll they don't have the source code to and didn't compile themselves, which is 13 years old.

>this isn't a security problem at all and has nothing to do with WinRAR


 No.1033959

>>1033958

not to mention the people who did compile that dll 13 years ago are clearly afk from the planet.

>WinRAR thought this was perfectly fine and only removed the dll and support for ace compression using it after someone made a proof of concept that literally provided remote code execution through it


 No.1033961

>>1033958

>>1033959

What will I do now if I want to extract an ACE file?

>literally provided remote code execution

>literally

You're special.

Even PNG had a remote code execution vuln. Better to fix it than to say lol fug people who want to view PNGs! Let's remove all PNG support.


 No.1033962

>>1033956

>who can't remember that.

Phone fags don't know what rar files are, let alone any compression technology. Sadly, most people today are phone fags.


 No.1033964

>>1033962

The irony is that they profit from compression the most with their 64GB (best case scenario, a few years ago they were like 4GB) internal flash drives.


 No.1033965

The funny thing was that you could install apps onto sd cards back than on android 3.4 (I think it was 3.4). They removed that so people buy new phones with 10GB more whenever they run out of space.


 No.1033977

>>1033965

they also removed it because android is a clusterfuck and would not load those apps properly in some cases


 No.1033982

Backwards compatibility meme was a mistake.


 No.1033983

>>1033977

>in some cases

Still not a reason to remove it. It's way more likely they removed it to sell more phones.


 No.1033985

>remotely execute

>open a file

That's called a local exploit you faggots.


 No.1034026

>>1033983

the worst is that they removed the "treat as mass storage" option for pc


 No.1034039

File: 7f688ff234adf9f⋯.jpg (590.82 KB, 1600x2264, 200:283, powerwindws.jpg)

OMG, I was never aware there were potential backdoors in Windows programs!


 No.1034043

File: ea0697ae4c23d43⋯.png (120.93 KB, 540x1063, 540:1063, Apple_Press_Conference.png)

>>1034026

I'm not a phone owner anymore, so i'm completely fine with phonefags going to hell.


 No.1034044

>>1034026

>what is KDE Connect


 No.1034063

I haven't seen an ace file in two decades, who even still uses it?


 No.1034065

>>1034063

you, after you open file named "something.rar" :^)


 No.1034071

>>1034063

>>1034065

this

it makes me wonder what other proprietary software is using ancient dll's compiled from developers a decade ago that no-longer exist.


 No.1034076

Reminder that zip files allow relative paths too.


 No.1034081

>>1033983

You underestimate how shit android is.

Take linux, the turbo-shit OS for desktop with zero pressure to fix things, slap a ton of jewgle DRM on top, then half-ass the "stable" system APIs that you then proceed to deprecate anyways.


 No.1034125

>>1034081

Linux desktop is pretty decent actually. I'm a miserable person who has to use both Linux and Windows daily so its really apparent to me that Linux is a blessing we don't deserve.


 No.1034136


 No.1034149

>>1034136

Can GNU run without Linux?

Can Linux run without GNU?


 No.1034155

>>1034149

Yes.

Yes if you exclude the fact that Linux compiles with gcc only, a GNU product, otherwise no.


 No.1034164

>>1034149

Yes

Yes

The point of the GNU/Linux name is to describe what you are actually using in practice. If your specific system uses Linux without GNU, then your system is not a GNU/Linux system. If your system uses Linux and the GNU OS, then your system is a GNU/Linux system.


 No.1035488

>>1034164

personally, i use linux/systemd/busybox/lxde/gtk/qt5/firefox/xorg/gnome/fish/vlc/7z/cmake/aptitude/ffmpeg/mesa/dmenu/openssl/perl/python/sqlite/sudo/vim/w3m/pcmanfm/nomacs/feh/fltk/rust/imagemagick/ncurses/electron/gnu


 No.1035498

>>1034149

>Can GNU run without Linux?

GNU/Hurd.

>Can Linux run without GNU?

Android.

>>1034164

Marketing-wise, just "Linux" is better because it's simpler. It's complicated enough for normies to understand the concept of distros.


 No.1035524

>>1035488

It's nice of you to give credit to all of those projects, but it's not really necessary. Unlike the GNU project, they're not headed by autistic manchildren who throw temper tantrums in public and experience galactic asshurt for not getting "credit" because an upstart kernel forever thwarted their vision of a GNUtopia.


 No.1035535

>>1035498

>Marketing-wise, just "Linux" is better because it's simpler. It's complicated enough for normies to understand the concept of distros.

>marketing

>normies

Let's call all OS Linux, because of normies and marketing.

Following your logic the name GNU is simpler than Linux, so let's call the whole system GNU, without Linux.

>>1035488

>personally, i use linux/systemd/busybox/lxde/gtk/qt5/firefox/xorg/gnome/fish/vlc/7z/cmake/aptitude/ffmpeg/mesa/dmenu/openssl/perl/python/sqlite/sudo/vim/w3m/pcmanfm/nomacs/feh/fltk/rust/imagemagick/ncurses/electron/gnu

I see the name is tooo long for you. Just remove unnecessary crap. GNU was started before Linux, so now you're using GNU *:)*

Also

>systemd

>rust

>python

>gnome

>electron

>two different DEs

>firefox

<not GNU Icecat

What a BLOATED

Lol. You forgot to install discord.

But seriously, read the FAQ https://www.gnu.org/gnu/gnu-linux-faq.html. Your arguments are all listed there. I used to say "Linux" and "open source" too, before I found out about GNU.


 No.1035563

>>1035535

Go back to bed, Stallman.


 No.1035569


 No.1035930

>>1035535

>What a BLOATED

>just use gnu

LOL!

9base > gnu coreutils

GNU isn't even a functioning operating system and it already has coreutil replacements more then any other ever had.

A lot of these even perform better then GNU.

>GNU started before Linux, so let's call it GNU

unix started before GNU so let's call it unix.


 No.1035957

>>1035930

GNU is not Unix. That's the whole point of the name.


 No.1036033

>>1035957 GNU is not Unix but Linux is a Unix-like OS. GNU developers are just self-claimed OS developers. But Linux developers are real OS developers.


 No.1036047

>>1036033 Gnu developers have developed many third-party softwares for Linux as third-party developers. But there are many other third-party developers for Linux except Gnu.


 No.1036062

>>1035957

>Gnu is not unix but it does everything unix does so basically it's unix but were autistic and can't call it unix cause unix is bad even though we use unix


 No.1036489

>>1036033

*Linux is a Unix-like OS kernel program. GNU is an OS because it was designed to be an OS since day 1 of the project.


 No.1036491

>>1036062

For GNU to use Unix, this is a very specific meaning. GNU does not use Unix at all. What specifically happens is that GNU is an implementation of Unix and the act of creating a new implementation is a different idea to using Unix.


 No.1036501

I still have one of the original versions of WinRAR, have it on my Windows XP (which is currently only used offline for ripping media such as using DVD Shrink). I bet it has this vulnerability but luckily I haven't used it for a long while.


 No.1036516

>>1036501

Just remove the .dll yourself, you'll never be able to open .ace files ever again but that's fine.


 No.1036532

Has anybody actually ever bought WinRAR?


 No.1036585

>>1036532

Of course. There still isn't a better archive manager on any OS. No matter how hard mouthbreathing *nix users screech about 7zip and other garbage software.


 No.1037006

Wait, can this be used to open WinRAR file You can't normally access without password? I NEED TO KNOW BECAUSE REASONS


 No.1037016

WinRAR 5.70 Final is out since a few days ago.


 No.1037040

>>1036585

.zip files that only can be opened in 7-Zip complain back at you.


 No.1037041

>>1037040

Or anything that is not WinRAR, and that has support for "modern" compression techniques.


 No.1037042

>>1037041

>>1037040

nice non-arguments




[Return][Go to top][Catalog][Nerve Center][Cancer][Post a Reply]
Delete Post [ ]
[]
[ / / / / / / / / / / / / / ] [ dir / choroy / dempart / his / jenny / komica / vg / vp / xivlg ]