UnRAR-DLL Plugin - has a critical security bug
Posted: 27 Aug 2023, 21:32
Hi,
I do promotion for Servant Salamander (at least) since I knew it from version 1.54.
Recently WinRAR had a vulnerability bug which could execute malicious code even when opening a prepared rar file, which contains recovrey volume information.
https://www.heise.de/news/WinRAR-Luecke ... 83622.html
Years ago, WinACE plugins were a security problem in several programs as they enabled opening prepared ace-files (7zip, winrar, winzip, peazip, Total Commander .... and much more more)
Now, it's Winrar.
And several offering rar-handling programs are affected.
So I instantly downloaded unrar.dll from winrar homepage and tried to exchang it in all occurencies on my systems.
But when I now click on rar archives, I get a message that Servant cannot load the unrar.dll library, because wouldn't be a Win32 application.
"Unrar-Plugin unrar.spl is no Servant plugin or has an internal error"
However when I examine the (old;your) unrar.dll, I have the suspicion that it does not have a PE 32 format, itself. (self compiled ?)
Even your old dll is bigger than the newer one, directly loaded from winrar (precompiled).
unrar.dll which is comming with Servant 4.0
01.08.2023 11:27 -- Size: 291.928 UnRAR.dll <<<- new one, loaded form winrar
24.06.2019 22:50 -- Size: 320.728 _unrar.dll <<<-- yours
01.07.2019 10:19 -- Size: 65.864 unrar.spl
Anyway.
Although you sorrowly regrettably did not implement Tabs since 2012 (a killer feature!!!),
you should anyhow offer an update for that winrar plugin, because this could lead to a really big security problem for users.
And this would be not worthy for this, absolute fine program, brought us by you.
I hope you can fix it.
(and implement tabs and much more )
MANY thanks! (and hope you are well !)
Kind regards.
I do promotion for Servant Salamander (at least) since I knew it from version 1.54.
Recently WinRAR had a vulnerability bug which could execute malicious code even when opening a prepared rar file, which contains recovrey volume information.
https://www.heise.de/news/WinRAR-Luecke ... 83622.html
Years ago, WinACE plugins were a security problem in several programs as they enabled opening prepared ace-files (7zip, winrar, winzip, peazip, Total Commander .... and much more more)
Now, it's Winrar.
And several offering rar-handling programs are affected.
So I instantly downloaded unrar.dll from winrar homepage and tried to exchang it in all occurencies on my systems.
But when I now click on rar archives, I get a message that Servant cannot load the unrar.dll library, because wouldn't be a Win32 application.
"Unrar-Plugin unrar.spl is no Servant plugin or has an internal error"
However when I examine the (old;your) unrar.dll, I have the suspicion that it does not have a PE 32 format, itself. (self compiled ?)
Even your old dll is bigger than the newer one, directly loaded from winrar (precompiled).
unrar.dll which is comming with Servant 4.0
01.08.2023 11:27 -- Size: 291.928 UnRAR.dll <<<- new one, loaded form winrar
24.06.2019 22:50 -- Size: 320.728 _unrar.dll <<<-- yours
01.07.2019 10:19 -- Size: 65.864 unrar.spl
Anyway.
Although you sorrowly regrettably did not implement Tabs since 2012 (a killer feature!!!),
you should anyhow offer an update for that winrar plugin, because this could lead to a really big security problem for users.
And this would be not worthy for this, absolute fine program, brought us by you.
I hope you can fix it.
(and implement tabs and much more )
MANY thanks! (and hope you are well !)
Kind regards.