vulnerability in UNACEV2.DLL

This is a place for users to discuss Altap Salamander. Please feel free to ask, answer questions, and express your opinion. Please do not post problems, bug reports or feature requests here.
omega
Posts: 193
Joined: 09 Dec 2005, 19:21

vulnerability in UNACEV2.DLL

Post by omega » 22 Feb 2019, 03:52

There's a security vulnerability in UNACEV2.DLL library. The vulnerability makes it possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives. UNACEV2.DLL had not been updated since 2005 so it's best to drop ACE archive format support. It comes installed in the 32bit version of Salamander only.

Winrar has already dropped it https://www.rarlab.com/rarnew.htm

Petr Solin
ALTAP Staff
ALTAP Staff
Posts: 1110
Joined: 08 Dec 2005, 09:13
Location: Novy Bor, Czech Republic
Contact:

Re: vulnerability in UNACEV2.DLL

Post by Petr Solin » 25 Feb 2019, 08:55

We will also drop support for ACE archives. We will remove UnACE plugin. Thanks for info!

User avatar
tajmone
Posts: 15
Joined: 24 Nov 2016, 20:49
Location: Italy
Contact:

Re: vulnerability in UNACEV2.DLL

Post by tajmone » 27 Feb 2019, 16:01

Petr Solin wrote:
25 Feb 2019, 08:55
We will also drop support for ACE archives. We will remove UnACE plugin. Thanks for info!
When will this happen? AS hasn't been updated in over two years, but this being a security issue it should be addressed ASAP.

Even if there are no AS updates on the horizon (ie. features-wise) you should release security patches for the latest release.

Because AS is used as a replacement for Windows Explorer, it's used on all hard disk folders, including system folders, therefore any vulnerability might have serious repercussions on the filesystem and stored work.

I'm quite disappointed that there hasn't been any update for so long, and while I might indeed bare patient when it comes to waiting for Unicode support in AS, when it comes to security there isn't really any room for "being patient", as AS might expose the whole system to such vulnerabilities.

You should really make some clear statement to your users base, here on the forum, regarding whether AS is still an actively developed product or not. And if it is, then there are no excuses regarding your duty to release security patches as soon as vulnerabilities are discovered. If AS is no longer active, then just say so and its users can start looking for another product.

The current situation, where an upcoming update is often mentioned but never really seen, it's becoming unbearable — and, quite frankly, a rather unfair situation toward customers, especially for new customers who could be buying a license right now.

Saying that "you're working on updates" isn't really enough of a commitment — even if you are (as I believe you are indeed working on a new version that will support Unicode). The point I'm trying to make here is that AS' development strategy is something unheard of; you can't just set out to implement a next major version to introduce Unicode support and, in the meantime, freeze every type of update, including security patches!

You have a responsibility toward your users base in granting security from vulnerabilities. With AS being a file browser that even supports net protocols, and can access the registry, there aren't really any excuses that justify over two years without a single patch.

As a software developer, I just can't work my head around the fact that while you're working toward a major update you can't release patches for the current stable version. On which rationale should a major update development work justify leaving the latest stable release frozen?

This isn't a problem with the techinical difficulties you might be facing in integrating Unicode, DPI awareness or whatever features into the next AS versions, this is a problem with the overall philosophy PROTECH adopts toward their software products development and security issues. I am really quite surprised that something like this even needs to be mentioned on the forum of a product like AS, which is basically given access to the whole memory storage of a PC, or even an intranet network.

Are you really going to keep purchasing on the current line of development, where everything is frozen until Unicode in AS is finally ready?

I have the impression that the many posts on the forum that point out the current situation of stale development speak by themselves, and that the AS developers should seriously consider taking a clear stand in this respect, out of correctness toward their userbase. If you're unable to make a commitment with clear ETAs regarding features updates and patches, you'll eventually loose the trust of your customers and userbase. There is only so much patience you can expect from any product's userbase, especially from paying customers, and two years is quite a lengthy time when it comes to eroding trust, one day after the other awaiting for a product update that never seems to make it.

But security ... well, that's another story altogether; for once I start doubting that you, as a company, have taken seriously to heart the security of my PC and work, then there is nothing you could ever do to gain back that trust — no Unicode support update, no DPI awareness, nothing. If I trust your product and allow it to access and manage my hard disk and network files, I NEED to know that you take very seriously your commitment to protect me, my PC and my work from security and vulnerabilities issues.
https://github.com/tajmone

therube
Posts: 625
Joined: 14 Dec 2006, 06:22

Re: vulnerability in UNACEV2.DLL

Post by therube » 27 Feb 2019, 20:10

this being a security issue it should be addressed ASAP
Plugins | Plugins Manager -> UnACE -> Remove.

Delete/rename the directory, \Servant Salamander\plugins\unace\.
WinXP Pro SP3 or Win7 x86 | SS 2.54

User avatar
tajmone
Posts: 15
Joined: 24 Nov 2016, 20:49
Location: Italy
Contact:

Re: vulnerability in UNACEV2.DLL

Post by tajmone » 27 Feb 2019, 21:03

therube wrote:
27 Feb 2019, 20:10
this being a security issue it should be addressed ASAP
Plugins | Plugins Manager -> UnACE -> Remove.

Delete/rename the directory, \Servant Salamander\plugins\unace\.
Thanks for the tip @therube, I appreciate it; but I was hoping that security issues would be addressed by automatic patches instead of having to daily check the forums and check if AS users discovered some vulnerabilities and then having to manually intervene on them. I'd feel better if the AS development team would ensure that AS is kept safe out of the box and via automatic updates.

I personally don't come and visits often the forum since AS is not getting updates anyhow.
https://github.com/tajmone

omega
Posts: 193
Joined: 09 Dec 2005, 19:21

Re: vulnerability in UNACEV2.DLL

Post by omega » 28 Feb 2019, 01:34

therube wrote:
27 Feb 2019, 20:10
this being a security issue it should be addressed ASAP
Plugins | Plugins Manager -> UnACE -> Remove.

Delete/rename the directory, \Servant Salamander\plugins\unace\.
Also look at Configuration screen -> Archivers Associations in Panels, External Archivers Locations, Packers & Unpackers in Dialog Box
Need to delete the Ace items manually. In the External Archivers Locations not possible to remove the Win32 Ace item.

Post Reply