Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution

[Jacob Bachmeyer <jcb62281 () gmail com>]

On 8/9/25 15:46, lunbun wrote:
> [...]
>
> ## Details
>
> 7-Zip before 25.01 does not always properly handle symbolic links during
> extraction. Prior to 25.01, it was possible for a maliciously-crafted 
> archive
> to create an unsafe symbolic link. 7-Zip follows symbolic links when
> extracting, so this leads to arbitrary file write.
>
> An attacker may leverage this arbitrary file write to achieve unauthorized
> access/code execution, such as by overwriting a user's SSH keys or 
> .bashrc file
> [1]. In one extraction, an attacker may attempt several times to 
> leverage this
> vulnerability to write to sensitive files.

How much does the attacker have to guess here?  Somehow I doubt that 
7-Zip resolves "~" in file names or symlink targets.  (I understand that 
the attacker can simply pack multiple symlinks into the archive.)

To target .bashrc or replace the SSH authorized_keys file, does the 
attacker need to know the user's login name, or is it possible to simply 
list relative symlink targets using .., ../.., ../../.., etc. and hope 
that the archive is being extracted somewhere below the user's home 
directory, as opposed to somewhere under /tmp?

Does a malicious archive produce suspicious output when listed with `7z 
l`?  Is this more of a concern for systems that automatically extract 
archives and incautious users or is this actually a general problem?


-- Jacob