mailing list archives
PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319)
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 12 Mar 2014 21:20:57 +0100
PowerArchiver: Uses insecure legacy PKZIP encryption when AES is
The compression tool PowerArchiver version 14.02.03 creates files with
an insecure encryption method even if the user selects a (secure) AES
encryption in the GUI.
If a user clicks on the "Encrypt Files" and selects "AES 256-bit" for
encryption, the outcoming file will not be AES-encrypted. It will
instead use the legacy PKZIP encryption, which uses a broken
Note that there are different ways in PowerArchiver to create an
encrypted ZIP file, the issue only appears when using the "Encrypt
The PKZIP encryption has been broken by Biham/Kocher in 1994.
The vendor ConeXware has released version 14.02.05 which fixes the
issue. It also disables completely support for creating archives with
the broken legacy ZIP encryption.
2014-03-10: Issue found, vendor contacted
2014-03-10: Vendor replies, confirms issue
2014-03-12: Vendor publishes fixed version
mail/jabber: hanno () hboeck de
- PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319) Hanno Böck (Mar 13)