[REQ] Patch critical vulnerability in 7-zip format (CVE-2024-11477)

[mdaeron]

Is your feature request related to a problem? Please describe

A potentially serious vulnerabilty in 7-zip decompression was reported recently.

Describe the solution you'd like

I would like Keka to used a patched version of 7-zip decompression. Also, ideally, users would be able to check which protocol version is used for a given format. Perhaps this is already implemented but I could not find where.

Additional context

Keka is awesome, thanks for making it!

[aonez]

Thanks for the info @mdaeron! A few points:

• Only 7zz has Zstandard support so only macOS 10.13 or newer can be affected
• Keka uses zstd, not 7zz, for Zstandard files so it is not affected while using the user interface
• Keka and it's binaries are sandboxed

That said 7-Zip 24.07 was released on 2024-06-19 and reports:
The bug was fixed: 7-Zip could crash for some incorrect ZSTD archives.

Probably this was the fix for this vulnerability that was reported on 2024-06-12 to the developer. Keka uses 24.08 version so this vulnerability should be already fixed.

Lets follow the updates about this vulnerability, but fear not :)

[aonez]

Just saw this on the report:

Fixed in fixed in 7-Zip 24.07

I've overlooked it before. So indeed this is already fixed. Thanks again @mdaeron!