Tag Archives: 7zipper

Statement on 7z encryption bug & PHP-Pear Supply Chain attack

At HonestRepair we monitor and test our dependencies for vulnerabilities regularly. It helps ensure that our platform is capable of meeting your needs for privacy and security.

This past week we were made aware of a bug within one of our dependencies, and a possible backdoor in the supply chain of another dependency.

The first dependency to be affected was 7zipper. This package was affected by a weak random number generation technique that affects the integrity of archives encrypted and password protected with 7z. Details about the discovery can be found on this blog post.

Since our products and services don’t utilize password protection features of 7z archives, this bug doesn’t affect our services or our software. Still, 7z is a dependency of our products so users should be aware of these vulnerabilities and update 7z as soon as a patch becomes available.

There were also backdoors found in the PHP-Pear package that are described in this blog post. Users who installed PHP-Pear on a server in the last 6 months should download the latest update and scrutinize their servers for remote access trojans (RAT’s). We have done the same and found no evidence to suggest that our servers were compromised.