In light of the recent CVE raised against 7-Zip, we wanted to provide reassurance to our customers and community. The CVE confirms that it covers all versions up to and including 21.07, the version that is used in Chocolatey CLI. As the 7-Zip components that are bundled with Chocolatey CLI are not those stated in the CVE, Chocolatey CLI is not affected.
CVE-2022-29072 Details
The CVE states:
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process,
The CVE author created a GitHub repository that shows the use of the 7-Zip help file, 7-zip.chm, and a .7z archive file to gain escalated privileges on the system. To exploit a system, the user must open the 7-Zip help and drop a .7z archive file onto the open help file. This is not something that a user would do in the normal process of working with 7-Zip.
Is Chocolatey CLI Vulnerable?
If you browse the tools folder in the Chocolatey installation directory (by default this is C:\ProgramData\chocolatey) you will see that Chocolatey CLI does not ship with the 7-Zip help file, 7-zip.chm or the 7zFM.exe file that are required by the CVE. Chocolatey CLI is therefore not affected by this CVE.
7zip Chocolatey Package
The latest version of the 7zip Chocolatey package is 21.7 which is vulnerable according to the CVE. Once 7-Zip have released a new version, the 7zip package will be automatically updated and pushed to the Chocolatey Community Repository by the package maintainer.
Note that the 7zip Chocolatey package removes the leading zero from the version number therefore 7-Zip version 21.07 is the 7zip Chocolatey package version 21.7.
Recommendations
The CVE author suggests that the 7-Zip help file, 7-zip.chm, is removed from the file system. By default, 7-Zip installs to C:\Program Files\7-Zip. This will stop the help file from being displayed which means that you cannot drag and drop a .7z archive file onto it.
If further information, or recommendations become available we will update this post.
Summary
We hope this post reassures our customers and community that Chocolatey CLI is not vulnerable to the recent CVE for 7-Zip and why it is not vulnerable.
For Security related issues, please see our documentation for responsible disclosure. If you are a licensed Customer with valid Maintenance and Support, then please do reach out to Support (run choco support to find out your options) or use our Community Discord Chat if you have further questions.