Urgent: Vulnerability in 7-Zip Native Library Affecting SevenZipJBinding

[andydwyerpandr]

Dear Boris,

We appreciate the quality and functionality of your SevenZipJBinding library, which has proven to be a valuable asset in our projects. We've integrated it into our systems and it meets almost all of our use cases.

However, during a recent vulnerability assessment, we discovered several existing CVEs associated with the underlying native 7-Zip library. Given 7-Zip's widespread use, it is a frequent target for malicious actors. The presence of these unaddressed vulnerabilities poses a significant risk to products that utilize SevenZipJBinding, potentially exposing them to exploitation.

Consequently, we have begun evaluating alternative solutions.

To avoid a broader migration and continue leveraging SevenZipJBinding, we urgently require your assistance in addressing this issue. Specifically, we need guidance on how to independently upgrade the native 7-Zip library within our SevenZipJBinding implementation. This would allow us to promptly incorporate the latest 7-Zip releases and associated security patches, without requiring your direct intervention for every update.

Implementing this upgrade capability is crucial for us. We have a strong interest in expanding our use of SevenZipJBinding across multiple applications within our organization. However, our adoption and wider rollout are contingent on resolving this vulnerability and establishing a sustainable update process.

We look forward to your prompt response and proposed solution. The timeliness of your reply is critical to our decision-making process.

Thank you for your attention to this urgent matter.

Sincerely,
Andy

[borisbrodski]

Dear Andy,

thank you very much for the kind words. I'm looking forward to keed 7-Zip-JBinding safe and up-to-date for everyone.

I'm working on the brand new version built from the new unified 7-zip code base (Window+Linux).
I managed to compile everything, working now on tests to pass.

If you are looking for the quick solution, please contact me at boris@brodski.name.

Kind regards
Boris

[andydwyerpandr]

Dear Boris,

I'm glad to hear you're actively working on the new version of 7-Zip-JBinding that's great news!

Could you please share with us your expected timeline for a release? Also, regarding the new unified code base: does it still bundle the native 7-Zip dll? If so, it would be very helpful to include an option to compile the native 7-Zip code ourselves. That way, we’ll be able to replace the dll whenever a new vulnerability is discovered or a new version is released.

Looking forward to your update.

Best regards,
Andy

[borisbrodski]

Dear Andy,

I'm working on 7-Zip-JBinding in my free time, so (besides times, where I get hired to implement some features, which is currently not the case). As a father of 2 I don't have a lot of free time, so no reliable timelines can be provided. But I hope to make the new release this year.

The new version will maintain native 7-zip code and 7-Zip-JBinding code compiled into single DLL. (As it the case now)

As of compiling 7-Zip-JBinding, you can compile it yourself. Just follow the instructions. You will need cmake, gcc and JDK 1.5.

Kind regards,
Boris

[jiaz83]

@andydwyerpandr if your company/work relies that heavily on boris work (in his free time), maybe you should start thinking about giving back and sponsor the development of the upcomming version.