Hi,
On 09/07/2026 17:21, yokota wrote:
Can we either confidently say it is affecting us or is this Windows
specific? The available information is unfortunately very light.
I think CVE-2026-58052 is Windows specific one.
Because it works for Mark-of-the-Web data on Windows file system.
The CVE page has reporters PoC page and describes why it works.
* https://www.cve.org/CVERecord?id=CVE-2026-58052
* https://github.com/bikini/exploitarium/tree/main/7zip-rar5-motw-chain-poc
Looking closer:
- the core issue seems the NTFS canonicalization of 'file:stream:$DATA'
to 'file:stream' (and 'file::$DATA' to 'file'), not anticipated by 7zip;
- ntfs-3g supports transparent ADS (streams) with '-o
streams_interface=windows', but doesn't canonicalize/strip ':$DATA' like
Windows NTFS does;
- the PoC hence doesn't work, even when removing the os==NT check, and
even when working in a ntfs-3g mount point with streams_interface on (no
content collision).
Also: we don't have Mark-of-the-Web support within the GNU/Linux
ecosystem desktop environments AFAIK, so overwriting the
':Zone.Identifier' stream doesn't have a security impact.
Overwriting/spoofing the file content itself can be a security problem
though. But again, unless a later version of ntfs-3g handles streams
differently, we're not affected, and even then we'd only be affected
within NTFS mount points with specific options.
Affected package: the PoC manually generates a .rar file that does NOT
compress the files hence doesn't use the non-free RAR compression, only
of the RAR archive format, so this .rar file is perfectly handled by the
base 7zip (not 7zip-rar) package. So I think 7zip is affected (and
similarly p7zip).
Cheers!
Sylvain