Does NanaZip share vulnerability to CVE-2024-11477 with 7-Zip? (Zstandard)

[wgadelha]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11477

The vulnerability has been fixed in 7-zip version 24.07.

I would be grateful if you could comment on whether NanaZip is also affected by the issue.

[MouriNaruto]

NanaZip should not be affected because the latest stable NanaZip's (3.1) Core has been updated to a 7-Zip mainline 24.08 implementation.

But NanaZip Preview should be affected because I have not released the new preview with the same feature as the 3.1.

Kenji Mouri

[wgadelha]

Thanks Kenji for the prompt response.
Have a great day!

[MouriNaruto]

In general, here are the versions that were affected:

• NanaZip 3.5 Preview 0 (3.5.1000.0)
• NanaZip 3.0 Update 1 (3.0.1000.0)
• NanaZip 3.5 Preview 0 (3.5.996.0)
• NanaZip 3.0 (3.0.996.0)

Other releases will not be affected. For example, the latest stable, NanaZip 3.1 (3.1.1080.0), has updated its core's 7-Zip mainline implementations to 24.08. Other older versions use Zstandard-based decompression implementation.

Kenji Mouri

[MouriNaruto]

It should be OK for most users. Because NanaZip will be updated automatically via Microsoft Store, and NanaZip Preview is not the version which users should use in the daily time.

Kenji Mouri

[MouriNaruto]

Update: But actually, some guys may not use NanaZip Preview to exploit because NanaZip disables dynamic code generation in Release builds to prevent generating malicious code at runtime, lol.

Kenji Mouri

[MouriNaruto]

Here is the next preview version and wait for Microsoft's validation.

https://github.com/M2Team/NanaZip/releases/tag/5.0.1188.0

Kenji Mouri