[ / / / / / / / / / / / / / ] [ dir / choroy / dempart / his / jenny / komica / vg / vp / xivlg ]

/tech/ - Technology

Winner of the 75nd Attention-Hungry Games
/caco/ - Azarath Metrion Zinthos

March 2019 - 8chan Transparency Report
Comment *
Password (Randomized for file and post deletion; you may also set your own.)
* = required field[▶ Show post options & limits]
Confused? See the FAQ.
Show oekaki applet
(replaces files and can be used instead)

Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf
Max filesize is 16 MB.
Max image dimensions are 15000 x 15000.
You may upload 3 per post.


>Popular Windows data compression tool WinRAR has patched a serious 19-year-old security flaw that was discovered on its platform, potentially impacting 500 million users.

>The path-traversal vulnerability, which WinRAR fixed in January, could allow bad actors to remotely execute malicious code on victims’ machines – simply by persuading them to open a file, researchers with Check Point Software said on Wednesday.

>“We found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer,” said Nadav Grossman with Check Point in the analysis. “The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.”

>Researchers specifically found a path-traversal vulnerability in unacev2.dll, a third-party dynamic link library in WinRAR used for parsing ACE (a data compression archive file format) archives.

>When taking a closer look at unacev2.dll, researchers found that “it’s an old dated dll compiled in 2006 without a protection mechanism. In the end, it turned out that we didn’t even need to bypass them,” said Grossman.

>Due to the lack of protections and support for unacev2.dll, researchers were able to easily rename an ACE file and give it a RAR extension within unacev2.dll. When opened by WinRAR, the fake ACE file containing a malicious program is extracted to the system’s startup folder – so the program would automatically begin running when the system starts.

>On an update on its website, WinRAR said: “WinRAR used this third-party library to unpack ACE archives. unacev2.dll had not been updated since 2005

<and we do not have access to its source code.

>So we decided to drop ACE archive format support to protect security of WinRAR users.”

>The PoC makes use of a chain of vulnerabilities (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253).




>unacev2.dll was created by Marcel Lemke, the original developer of the ACE archive format

>under a "restrictive open source" license

Where is Marcel Lemke (Check Point didn't mention nor contact him at all) currently?




>In computing, ACE is a proprietary data compression archive file format developed by Marcel Lemke,

<and later bought by e-merge GmbH

>WinAce, maintained by e-merge GmbH, is used to compress and decompress ACE files under Microsoft Windows.

>When installed, it lets the user choose between paying for a registration

<or installing WhenU SaveNow adware


>An older version of an Unace 1.2b is free software and licensed under the GPL by the author Marcel Lemke, but it cannot extract ACE archives from version 2.0 and newer.[1]


I don't see any upstream source listed at


or maybe i'm just blind

>A newer version of Unace 2.5 that supports ACE 2.0 archives is available under a restrictive open source license, also by Marcel Lemke.[2]


this lists downstream as


which doesn't work, page says "under construction"

what the hell is the upstream even? it looks like it's just some random dude maintaining the GPL version



The original source code was obtained by mail from the upstream author

Marcel Lemke <mlemke@winace.com>."

they don't even publish the source code debian got it in an email?


the last changelog that actually changed any code was 2007 everything else is just debian bs



>this lists downstream as


*meant to say upstream

the only place i can even find winace is adware/aids infested shareware sites



Maybe you can contact Fabian Greffrath for the whereabouts of the unace 2.5 source code in his computer.




There only seems to be an archive:


which is so broken that you have to set height:100% to the <iframe> so that you can view it.

http://www.emerge.de shows the same "under construction" message, so who knows.

The better question is: What happend to e-merge GmbH? Did they run out of license cash or are they restructuring?



Neither WinRAR nor 7zip have anything to do with ACE compression.

Misleading title.


I'm old enough to remember when buying WinRAR was a meme.



You won't find anyone who can't remember that.

Every YT-Video was like: Unpack it with WinRAR *buy WinRAR license window pops up*



>What happened to Marcel Lemke and e-merge GmbH?


Some kraut help is appreciated.



>WinRAR has nothing to do with ACE compression

>WinRAR chose to support ACE compression inside of WinRAR using a dll they don't have the source code to and didn't compile themselves, which is 13 years old.

>this isn't a security problem at all and has nothing to do with WinRAR



not to mention the people who did compile that dll 13 years ago are clearly afk from the planet.

>WinRAR thought this was perfectly fine and only removed the dll and support for ace compression using it after someone made a proof of concept that literally provided remote code execution through it




What will I do now if I want to extract an ACE file?

>literally provided remote code execution


You're special.

Even PNG had a remote code execution vuln. Better to fix it than to say lol fug people who want to view PNGs! Let's remove all PNG support.



>who can't remember that.

Phone fags don't know what rar files are, let alone any compression technology. Sadly, most people today are phone fags.



The irony is that they profit from compression the most with their 64GB (best case scenario, a few years ago they were like 4GB) internal flash drives.


The funny thing was that you could install apps onto sd cards back than on android 3.4 (I think it was 3.4). They removed that so people buy new phones with 10GB more whenever they run out of space.



they also removed it because android is a clusterfuck and would not load those apps properly in some cases


Backwards compatibility meme was a mistake.



>in some cases

Still not a reason to remove it. It's way more likely they removed it to sell more phones.


>remotely execute

>open a file

That's called a local exploit you faggots.



the worst is that they removed the "treat as mass storage" option for pc


File: 7f688ff234adf9f⋯.jpg (590.82 KB, 1600x2264, 200:283, powerwindws.jpg)

OMG, I was never aware there were potential backdoors in Windows programs!


File: ea0697ae4c23d43⋯.png (120.93 KB, 540x1063, 540:1063, Apple_Press_Conference.png)


I'm not a phone owner anymore, so i'm completely fine with phonefags going to hell.



>what is KDE Connect


I haven't seen an ace file in two decades, who even still uses it?



you, after you open file named "something.rar" :^)





it makes me wonder what other proprietary software is using ancient dll's compiled from developers a decade ago that no-longer exist.


Reminder that zip files allow relative paths too.



You underestimate how shit android is.

Take linux, the turbo-shit OS for desktop with zero pressure to fix things, slap a ton of jewgle DRM on top, then half-ass the "stable" system APIs that you then proceed to deprecate anyways.



Linux desktop is pretty decent actually. I'm a miserable person who has to use both Linux and Windows daily so its really apparent to me that Linux is a blessing we don't deserve.




Can GNU run without Linux?

Can Linux run without GNU?




Yes if you exclude the fact that Linux compiles with gcc only, a GNU product, otherwise no.





The point of the GNU/Linux name is to describe what you are actually using in practice. If your specific system uses Linux without GNU, then your system is not a GNU/Linux system. If your system uses Linux and the GNU OS, then your system is a GNU/Linux system.



personally, i use linux/systemd/busybox/lxde/gtk/qt5/firefox/xorg/gnome/fish/vlc/7z/cmake/aptitude/ffmpeg/mesa/dmenu/openssl/perl/python/sqlite/sudo/vim/w3m/pcmanfm/nomacs/feh/fltk/rust/imagemagick/ncurses/electron/gnu



>Can GNU run without Linux?


>Can Linux run without GNU?



Marketing-wise, just "Linux" is better because it's simpler. It's complicated enough for normies to understand the concept of distros.



It's nice of you to give credit to all of those projects, but it's not really necessary. Unlike the GNU project, they're not headed by autistic manchildren who throw temper tantrums in public and experience galactic asshurt for not getting "credit" because an upstart kernel forever thwarted their vision of a GNUtopia.



>Marketing-wise, just "Linux" is better because it's simpler. It's complicated enough for normies to understand the concept of distros.



Let's call all OS Linux, because of normies and marketing.

Following your logic the name GNU is simpler than Linux, so let's call the whole system GNU, without Linux.


>personally, i use linux/systemd/busybox/lxde/gtk/qt5/firefox/xorg/gnome/fish/vlc/7z/cmake/aptitude/ffmpeg/mesa/dmenu/openssl/perl/python/sqlite/sudo/vim/w3m/pcmanfm/nomacs/feh/fltk/rust/imagemagick/ncurses/electron/gnu

I see the name is tooo long for you. Just remove unnecessary crap. GNU was started before Linux, so now you're using GNU *:)*







>two different DEs


<not GNU Icecat


Lol. You forgot to install discord.

But seriously, read the FAQ https://www.gnu.org/gnu/gnu-linux-faq.html. Your arguments are all listed there. I used to say "Linux" and "open source" too, before I found out about GNU.



Go back to bed, Stallman.





>just use gnu


9base > gnu coreutils

GNU isn't even a functioning operating system and it already has coreutil replacements more then any other ever had.

A lot of these even perform better then GNU.

>GNU started before Linux, so let's call it GNU

unix started before GNU so let's call it unix.



GNU is not Unix. That's the whole point of the name.


>>1035957 GNU is not Unix but Linux is a Unix-like OS. GNU developers are just self-claimed OS developers. But Linux developers are real OS developers.


>>1036033 Gnu developers have developed many third-party softwares for Linux as third-party developers. But there are many other third-party developers for Linux except Gnu.



>Gnu is not unix but it does everything unix does so basically it's unix but were autistic and can't call it unix cause unix is bad even though we use unix



*Linux is a Unix-like OS kernel program. GNU is an OS because it was designed to be an OS since day 1 of the project.



For GNU to use Unix, this is a very specific meaning. GNU does not use Unix at all. What specifically happens is that GNU is an implementation of Unix and the act of creating a new implementation is a different idea to using Unix.


I still have one of the original versions of WinRAR, have it on my Windows XP (which is currently only used offline for ripping media such as using DVD Shrink). I bet it has this vulnerability but luckily I haven't used it for a long while.



Just remove the .dll yourself, you'll never be able to open .ace files ever again but that's fine.


Has anybody actually ever bought WinRAR?



Of course. There still isn't a better archive manager on any OS. No matter how hard mouthbreathing *nix users screech about 7zip and other garbage software.


Wait, can this be used to open WinRAR file You can't normally access without password? I NEED TO KNOW BECAUSE REASONS


WinRAR 5.70 Final is out since a few days ago.



.zip files that only can be opened in 7-Zip complain back at you.



Or anything that is not WinRAR, and that has support for "modern" compression techniques.




nice non-arguments

[Return][Go to top][Catalog][Nerve Center][Cancer][Post a Reply]
Delete Post [ ]
[ / / / / / / / / / / / / / ] [ dir / choroy / dempart / his / jenny / komica / vg / vp / xivlg ]