Posts: 14,998
Threads: 9,765
Thanks Received: 9,132 in 7,284 posts
Thanks Given: 9,952
Joined: 12 September 18
26 June 25, 07:28
Quote:WinRAR 7.12 (stable)
Version 7.12
1. When extracting a file, previous versions of WinRAR, Windows versions
of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked
into using a path, defined in a specially crafted archive,
instead of user specified path.
Unix versions of RAR, UnRAR, portable UnRAR source code
and UnRAR library, also as RAR for Android, are not affected.
We are thankful to whs3-detonator working with Trend Micro Zero Day
Initiative for letting us know about this security issue.
2. Previously "Generate report" command included archived file names
into HTML report as is, allowing to inject potentially unsafe HTML tags
into the report. To prevent such injection the current version replaces
< and > file name characters in HTML report with < and > strings.
We are thankful to Marcin Bobryk (github.com/MarcinB44) for bringing
this security issue to our attention.
3. If "Test archived files" and "recovery volumes" archiving options
are used together, recovery volumes are also tested. Previous versions
completed the test before creating recovery volumes, so they hadn't
been verified.
4. Nanosecond file time precision is preserved for Unix file records
when modifying RAR archive in Windows. Previously it was converted
to Windows 100 nanosecond precision.
Source: WinRAR archiver, a powerful tool to process RAR and ZIP files
Download: WinRAR and RAR archiver downloads
Posts: 14,998
Threads: 9,765
Thanks Received: 9,132 in 7,284 posts
Thanks Given: 9,952
Joined: 12 September 18
Yesterday, 06:50
Quote:WinRAR 7.13 (stable release)
Version 7.13
1. Another directory traversal vulnerability, differing from that
in WinRAR 7.12, has been fixed.
When extracting a file, previous versions of WinRAR, Windows versions
of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked
into using a path, defined in a specially crafted archive,
instead of user specified path.
Unix versions of RAR, UnRAR, portable UnRAR source code
and UnRAR library, also as RAR for Android, are not affected.
We are thankful to Anton Cherepanov, Peter Kosinar, and Peter Strycek
from ESET for letting us know about this security issue.
2. Bugs fixed:
a) WinRAR 7.12 "Import settings from file" command failed to restore
settings, saved by WinRAR versions preceding 7.12;
b) WinRAR 7.12 set a larger than specified recovery size for compression
profiles, created by WinRAR 5.21 and older.
Source: WinRAR archiver, a powerful tool to process RAR and ZIP files
Download: WinRAR and RAR archiver downloads
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
