Page 1 of 1

Critical Security Update Required for Keka (7-Zip)

Posted: Wed Jun 08, 2016 5:22 am
by mr. black
Hi,

I am a long time user of Keka and have recommended it to many friends.

A critical security vulnerability was recently found in p7zip (a quick ports from 7-Zip), the compression library that Keka is built on.

https://news.slashdot.org/story/16/05/1 ... ware-tools

p7zip is still under active development but has not yet been updated to include the version 16.xx 7-Zip code (which patches out the vulnerability).

https://sourceforge.net/projects/p7zip/files/p7zip/

Is there anyone still working on Keka that might be able to update the code once a new version of p7zip has been released?

Thanks!

Mr. Black

Re: Critical Security Update Required for Keka (7-Zip)

Posted: Sat Jun 18, 2016 7:49 pm
by aone
Hi Mr. Black,

I'm aware of this one, I'm always following 7zip and p7zip trackers. As soon as there's a stable p7zip release including this fixes I'll implement them :D

Re: Critical Security Update Required for Keka (7-Zip)

Posted: Fri Jul 15, 2016 11:08 am
by therealmarv
Hi,
I also asked the people who found that bug if Keka is affected. They say yes:
http://blog.talosintel.com/2016/05/mult ... 8344298928

The good news is:
p7zip 16.02 is now out officially :D :D

https://sourceforge.net/projects/p7zip/

Thanks for building a new Keka version soon!

Re: Critical Security Update Required for Keka (7-Zip)

Posted: Tue Aug 16, 2016 12:36 pm
by therealmarv
where is the new Keka version? Keka does not care about security updates, do you? It takes too long...

Re: Critical Security Update Required for Keka (7-Zip)

Posted: Thu Aug 18, 2016 11:10 am
by matt
As a temporary measure, I've replaced two binaries inside the app with two more recent ones.

keka7z (I renamed official 7za 16.02, keka used old 9.20)
kekaunrar (I renamed official UNRAR 5.40, kaka used old UNRAR 5.20 beta 1)

It's not a perfect fit, and it may break compatibility with some archive types, but it works for the archives I have to process.

To "install" these two new files:
- right click Keka
- choose "Show Package Contents"
- browse to Contents/Resources
- copy keka7z and kekaunrar
- confirm replacement of two older files

http://www.mediafire.com/download/pqhu9 ... pgrade.zip

Re: Critical Security Update Required for Keka (7-Zip)

Posted: Mon Aug 22, 2016 7:38 am
by aone
Update comming in september... I hope I can do it sooner :(

Re: Critical Security Update Required for Keka (7-Zip)

Posted: Mon Oct 03, 2016 9:27 am
by matt
October now

Any news?

Re: Critical Security Update Required for Keka (7-Zip)

Posted: Tue Oct 18, 2016 1:30 pm
by aone
Release candidate ready! Get it on beta.kekaosx.com. It has p7zip 16.02 as well as updated Sparkle framework.