There's a big difference between quality code and being a cowboy.
> I don't know Igor, but if 7z is anything to go by then he probably uses VC--I'm guessing here--6 for the same reason Sean Barrett does: It's way faster and less bloated than modern VS.
Then they should learn how to download the SDK and learn to use the command line to properly compile code with proper ASLR and other such security features. Keep working in VC 6.0 if you want, but for the love of all things good please enable basic ASLR.
Its 2018. Its time to get with the program. Various solutions (or at least... mitigations) to buffer overflows and code execution bugs have been discovered in the last 20 years. Yes, VS 6 was released in 1998. My use of the phrase "20 years" is literal.
Its shameful that a dev of one of the most popular open source tools out there doesn't care about security.
--------------
In any case, Igor runs his dev environment from 20 years ago. If someone was compiling code with GCC 2.95 (released 2001, three years after his version of VS), the first response from Linus Torvalds would be "Dear lord, please upgrade your compiler. I'm not going to ensure compatibility with 18-year old tech".
> I'm also guessing he doesn't use those security features because they're largely ineffective and just complicate things and slow them down.
The freaking executable doesn't have the freaking "NX Bit". We're talking about the most barebone basics of security here.
No ASLR. A lack of NX Bit. Pretty much any security feature discovered in the last 20 years is missing from 7zip. Its actually one of the worst offenders of security I've ever seen in 2018.
IIRC, Igor finally added DEP a few months ago (NXCOMPAT if you need to google the Internet Drama). But the fact that he was running this code without lol DEP until January of THIS YEAR makes me suspect his coding practices.
> I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size. At least he will try to enable /NXCOMPAT for the next release. Apparently, it is currently not enabled because 7-Zip is linked with an obsolete linker that doesn’t support the flag.
This is bad. Very very bad. This should not have been happening in 2018. He wants to save literally ~kilobytes of .exe space instead of use ASLR. Igor is not someone who seems to take security seriously.
----------------------
In any case, there are ways around DEP. Which is why ASLR exists, and other such flags. Enabling DEP brings 7-zip into the year 2003 (when x86-64 was first released by AMD) level of security, but there are other security threats that are addressed with these other compiler flags.
> Igor is not someone who seems to take security seriously.
On this we agree. The question is, how seriously does security deserve to be taken in this case?
The evidence suggests not very seriously at all. As horrifically insecure as 7z is by your metrics, I can't think of a single incident of it ever ruining anyone's day, unlike a lot of modern software that manages to do that while supposedly being "secure" and functioning "correctly".
> On this we agree. The question is, how seriously does security deserve to be taken in this case?
Well consider exactly what 7-zip is: its a plugin to explorer.exe that will always be running. Its embedded into your "right click" button and is running at all times.
Any code that takes over 7-zip can take over explorer.exe on your typical use of 7-zip. I personally think its position as a explorer.exe plugin demands some kind of security posture.
That isn't how explorer's right-click context menu works. It's basically just a list of file extension pattern matches in the registry and command line to call when they're clicked:
> I don't know Igor, but if 7z is anything to go by then he probably uses VC--I'm guessing here--6 for the same reason Sean Barrett does: It's way faster and less bloated than modern VS.
Then they should learn how to download the SDK and learn to use the command line to properly compile code with proper ASLR and other such security features. Keep working in VC 6.0 if you want, but for the love of all things good please enable basic ASLR.
Its 2018. Its time to get with the program. Various solutions (or at least... mitigations) to buffer overflows and code execution bugs have been discovered in the last 20 years. Yes, VS 6 was released in 1998. My use of the phrase "20 years" is literal.
Its shameful that a dev of one of the most popular open source tools out there doesn't care about security.
--------------
In any case, Igor runs his dev environment from 20 years ago. If someone was compiling code with GCC 2.95 (released 2001, three years after his version of VS), the first response from Linus Torvalds would be "Dear lord, please upgrade your compiler. I'm not going to ensure compatibility with 18-year old tech".
> I'm also guessing he doesn't use those security features because they're largely ineffective and just complicate things and slow them down.
ASLR is ineffective? Really?
https://www.cisecurity.org/advisory/multiple-vulnerabilities...
https://landave.io/2018/01/7-zip-multiple-memory-corruptions...
The freaking executable doesn't have the freaking "NX Bit". We're talking about the most barebone basics of security here.
No ASLR. A lack of NX Bit. Pretty much any security feature discovered in the last 20 years is missing from 7zip. Its actually one of the worst offenders of security I've ever seen in 2018.