The 7zip format, or the actual 7zip application?
this post was submitted on 28 May 2026
138 points (98.6% liked)
Technology
6901 readers
101 users here now
News community around technology, social media platforms, information technology and governmental policy surrounding it.
What doesn't fit here?
The core of the story has to be technology focused.
- If article mentions "AI" in a sentence and then talks about business economics that doesn't make it tech news.
- Gaming is too many layers removed from technology. There are many dedicated communities that are a better fit for it.
- Transporation is too many layers removed from technology. EVs while use many cool technologies have many dedicated communities that are a better fit for it.
- Entertainment is too many layers removed from technology. While sometimes it can fit here, business or cultural aspects of it are a better fit for dedicated communities.
- Cybersecurity. While it heavily focuses on technology, most of the time it's too technical for most people who are not already invested in it. Should be posted in a dedicated communities unless it has broader connection to other tech areas.
Post guidelines
Title format
Post title should mirror the news source title. If you don't like the title of article, look for an alternative source instead of editorializing it.
URL format
Post URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
[Opinion] prefix
Opinion (op-ed) articles must use [Opinion] prefix before the title. Opinion articles refer to articles that their publisher doesn't explictly endorse.
Country prefix
Country prefix can be added to the title with a separator (|, :, etc.) if the news is from a local publisher who doesn't clearly mention the country.
Rules
1. English only
Title and associated content has to be in English.
2. Use original link
Post URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communication
All communication has to be respectful of differing opinions, viewpoints, and experiences.
4. Inclusivity
Everyone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacks
Any kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangents
Stay on topic. Keep it relevant.
7. Instance rules may apply
If something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.
Companion communities
!globalnews@lemmy.zip
!interestingshare@lemmy.zip
Icon attribution | Banner attribution
If someone is interested in moderating this community, message @brikox@lemmy.zip.
founded 2 years ago
MODERATORS
application my man. Literally the first paragraph of the article contains:
If a user simply opens a booby-trapped crafted archive (.7z, .zip, .rar, etc) on a machine with at least 16 GB of RAM, they'll be running malicious code. Extracting the archive isn't necessary; only opening it is enough. We recommend that everyone immediately update to the latest version, 26.01, published in late April; all previous versions are vulnerable.
...and because i'm sure people still won't read the article, this also includes countless things that use 7zip libraries to do zipping actions, including things like file browsers, chocolatey and probably other stuff. 7zip is foss and widely used for all kinds of things t hat go beyond consumer gui usage.
That’s exactly why I asked for clarification. Is this an issue with their executable or is it their compression code?
I use Keka for macOS, which uses 7zip’s code for handling .7z archives. So I should probably hope for a quick update from them.
You asked if it was the application or the file format.
Sounds like neither, it’s the compression library.
It's both - library and apps that use it.
More often than not, I don't read the article due to a lemming summing it up nicely for us in the comments lol.
What does it mean to open it in this case?
any machine with at least 16gb RAM
Sometimes being broke ain't all that bad.
Another cataclysmic 7zip vuln??? It's been less than 6 months!
- high performance legacy software like this often uses low-level languages like c, c++, and assembly
- these low-level languages are extremely powerful but require manual management of memory
- that memory management is a common place where bugs like this can be found. This vulnerability is a memory overflow
This kind of bug's severity and how easily it is to accidentally introduce is why many high performance applications are moving to the rust programming language, which was specifically designed to try and prevent/minimize memory bugs.
It's not in the 7z compression format, so it might be worth just flagging any file with the ntfs headers for now? I would like to think that av companies could add that.
That actually doesn't seem to be so severe.
How many people download some random archive and then, after extracting it, they double click on the files inside it?
It says the risk of this vuln is arbitrary code execution of a maliciously crafted archive.
After fixing this bug, most 7zip users will still be vulnerable to arbitrary code execution due to maliciously crafted archives.
According to the last paragraph, the vulnerability is in reading the archive itself, not the decompressed contents.
I think what quick snail is saying is that if you are going to download a malicious zip file you are just as likely to unzip the archive and run the program inside. It's a lot easier to just have a malicious payload inside the archive.
As an archivist, that image makes me very sad