Navigation
Home
Blog
gif gif

The interesting corner

gif gif

Upgrading to 7z version 24.09 (CVE-2024-11477)

Introduction

Recently, a new vulnerability was discovered in older versions (before 24.07) that could grant arbitrary code execution. This is of course very bad news, and you should upgrade as soon as you can. As the article states, 7zip doesn't have its own update mechanism, so we need to do it manually.

p7zip and 7z

I had the package p7zip installed, which is a port of the 7za.exe for Windows. When you download the latest 7zip version, the readme also shows the difference between this package and 7z:

7-Zip and p7zip
===============
Now there are two different ports of 7-Zip for Linux/macOS:

1) p7zip - another port of 7-Zip for Linux, made by an independent developer.
   The latest version of p7zip now is 16.02, and that p7zip 16.02 is outdated now.

2) 7-Zip for Linux/macOS - this package - it's new code with all changes from latest 7-Zip for Windows.

As the readme states, p7zip is based on 16.02 and is outdated, so if you have that installed, please consider updating.

Updating that mf

x64

Now for the most important part: updating. You can get the latest version from the 7-zip download page. I first downloaded the 64-bit Linux x86-64 version for my x64 machines. After extracting (with tar -xvf 7z2409-linux-x64.tar.xz) there were 2 executables: 7zz and 7zzs. The readme tells you what these files are:

7zz         - standalone console version of 7-Zip (version compiled for dynamic system library linking)
7zzs        - standalone console version of 7-Zip (version compiled with static system library linking)

I prefer using the version with dynamic library linking, because then updates to libraries also get included when I update them. I first removed p7zip, and then copied the executable to the desired location: sudo cp 7zz /usr/bin/7z. To make sure the permissions were correct I used sudo chmod 755 /usr/bin/7z. To check if it worked, I executed 7z and got the following result: 

7-Zip (z) 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-28
    64-bit locale=en_US.UTF-8 Threads:4 OPEN_MAX:1024, ASM

arm64

For my ARM-based machines, I downloaded the 64-bit Linux arm64 version and extracted it using tar -xvf 7z2409-linux-arm64.tar.xz. Now I needed to use the 7zzs version, because when I copied the 7zz version and executed it, I got the error -bash: 7z: command not found. When I used the right version I got the correct output:

7-Zip (z) 24.09 (arm64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-28
    64-bit arm_v:8-A locale=en_US.UTF-8 Threads:4 OPEN_MAX:1024, ASM