WinRAR Updates

[harlan4096]

WinRAR 7.12 (stable)

Version 7.12

1. When extracting a file, previous versions of WinRAR, Windows versions
of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked
into using a path, defined in a specially crafted archive,
instead of user specified path.

Unix versions of RAR, UnRAR, portable UnRAR source code
and UnRAR library, also as RAR for Android, are not affected.

We are thankful to whs3-detonator working with Trend Micro Zero Day
Initiative for letting us know about this security issue.

2. Previously "Generate report" command included archived file names
into HTML report as is, allowing to inject potentially unsafe HTML tags
into the report. To prevent such injection the current version replaces
< and > file name characters in HTML report with < and > strings.

We are thankful to Marcin Bobryk (github.com/MarcinB44) for bringing
this security issue to our attention.

3. If "Test archived files" and "recovery volumes" archiving options
are used together, recovery volumes are also tested. Previous versions
completed the test before creating recovery volumes, so they hadn't
been verified.

4. Nanosecond file time precision is preserved for Unix file records
when modifying RAR archive in Windows. Previously it was converted
to Windows 100 nanosecond precision.

Source: WinRAR archiver, a powerful tool to process RAR and ZIP files
Download: WinRAR and RAR archiver downloads

[harlan4096]

WinRAR 7.13 (stable release)

Version 7.13

1. Another directory traversal vulnerability, differing from that
in WinRAR 7.12, has been fixed.

When extracting a file, previous versions of WinRAR, Windows versions
of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked
into using a path, defined in a specially crafted archive,
instead of user specified path.

Unix versions of RAR, UnRAR, portable UnRAR source code
and UnRAR library, also as RAR for Android, are not affected.

We are thankful to Anton Cherepanov, Peter Kosinar, and Peter Strycek
from ESET for letting us know about this security issue.

2. Bugs fixed:

a) WinRAR 7.12 "Import settings from file" command failed to restore
settings, saved by WinRAR versions preceding 7.12;

b) WinRAR 7.12 set a larger than specified recovery size for compression
profiles, created by WinRAR 5.21 and older.

Source: WinRAR archiver, a powerful tool to process RAR and ZIP files

Download: WinRAR and RAR archiver downloads

[harlan4096]

WinRAR 7.20 (stable release)
 
Version 7.20

1. Performance improvements when deleting files in solid RAR archives:

a) if there are no non-zero files after deleted files, archive
recompressing isn't performed;

b) part of archive before deleted files is copied as is, without
repacking. Its contents is unpacked to memory if necessary,
but not recompressed;

c) semi-solid archive processing involves only solid blocks containing
deleted files. Unaffected solid blocks are copied as is.

2. "Generate archive name by mask" archiving option and -ag command line
switch:

a) new 'K' format character defines the current day of week
name as a text string;

b) new 'O' format character defines the current month name as a text
string regardless of format character number. Unlike "MMM" mask,
it allows to use shorter or longer than 3 character names,
such as -agOO;

c) excessive format characters exceeding the available field width
are now ignored instead of appending to archive name.
So it is possible to use full month or week day names by providing
format characters in the amount equal or exceeding the longest name,
such as -agKKKKKKKKKK for day of week names.

3. Command line -s switch:

a) switch -s accepts the optional parameter preceded by '=' character.

Switches -s, -se, -sv, -sv-, -s- are replaced by -s=f, -s=e,
-s=v, -s=d, -s=-. Previous versions of these switches are still
supported in the current version, but can be removed in the future.

It is allowed to combine multiple modifiers in the same switch,
such as -s=e100f.

b) new switch -s=r resets the solid statistics before adding new files
to existing archive.

4. Switch -tk now accepts the optional date parameter in YYYYMMDDHHMMSS
format. If used without parameter when modifying an archive,
it preserves the original archive time. If optional parameter
is present, it is assigned to archive modification time.

It is allowed to insert separators like '-' or ':' to the date string
and omit trailing fields. For example, switch -tk2025-06-01 is correct.

5. "Specified time" is added to "Set archive time to" options on "Time"
page of archiving dialog. It allows to assign the manually entered time
to newly created or modified archives.

6. UTF-8 output format and byte order mark options are added to
"Generate report" command.

7. "Cloud files" option is added to "Where to check for SFX archives"
group in "Settings/Integration/Context menu items..." dialog.

If this option is off, WinRAR shell extension will not attempt
to detect if archive is self-extracting, when right clicking
an executable cloud file not available locally. This detection
involves data read and can be slow for such files.

This option relies on file attributes returned by a cloud storage
provider and can be ignored if required attribute isn't supported
by specific cloud service.

8. "Copy to clipboard" button at the bottom of "Search results" dialog
places current results of "Find files" command to clipboard.

9. It takes less time to open a large archive with a lot of files
and folders in WinRAR file list. This is most noticeable for ZIP
archives containing millions of files.

10. Improved extraction speed of TAR and TAR based archives,
such as .tar.gz or tar.xz. It is most visible for hard disk drives
with slower seek time and large archives containing a lot of files.

11. SFX module sets sfxnamenoext environment variable, containing
SFX archive name without path and extension. It allows to append
the archive name to user defined destination path like:

Path=c:\Util\%sfxnamenoext%"

12. "minsize" parameter, defining the minimum file reference size
in -oi[0-4][:] switch, now can include an optional trailing
unit size character. So -oi:1m is the equivalent of -oi:1048576.

13. Switch -x recognizes exclude paths with both Windows and Unix style
path separators, so -xfolder\file and -xfolder/file do the same.
Previously only -xfolder\file excluded the file.

14. Bugs fixed:

a) "Files to exclude" field of archiving dialog was ignored for all
but first ZIP archives if "Put each file to separate archive"
option was turned on;

b) when processing "Convert archives" command, "Use for all archives"
option in the password prompt was available only for encrypted
archives with file name encryption and couldn't be enabled
when converting archives without encrypted file names.

WinRAR archiver, a powerful tool to process RAR and ZIP files  
WinRAR Download Latest Version