Bit7z v4.0.11

[rikyoz]

⚠️ Security Update ⚠️

This security bugfix release fixes CVE-2026-27117.

A path traversal vulnerability ("Zip Slip") existed in bit7z's archive extraction functionality.

The library didn't adequately validate file paths contained in archive entries and returned by 7-Zip's DLLs, which do not perform any validation on entry paths within archives.

This allowed files to be written outside the intended extraction directory through three distinct mechanisms: relative, absolute, and symbolic link path traversal.

Note

The vulnerability only poses a risk if the application using bit7z handles user-supplied/unverified archives.

Changes from v4.0.10

The build option BIT7Z_PATH_SANITIZATION is now available on all platforms (previously, it was a Windows-only option).

When BIT7Z_PATH_SANITIZATION is OFF (the default):

• Archive entries with absolute paths (e.g., /etc/crontab on Unix systems or C:\Windows\System32\evil.dll on Windows) are rejected, resulting in an extraction failure.
• On Windows, entries with drive-relative paths having the same drive root as the output directory are stripped of the drive root (e.g., C:file.txt -> file.txt), and treated as relative paths; if the drive roots are different, the entry is rejected.

When BIT7Z_PATH_SANITIZATION is ON:

• On Windows:
  • Entries with drive-relative paths will be sanitized without creating a dummy directory as in previous versions (e.g., C:file.txt -> C_file.txt instead of C_\file.txt).
  • Other kinds of paths will be sanitized as in the previous versions (absolute paths are converted to relative paths, e.g., C:\Windows\notepad.exe -> C_\Windows\notepad.exe).
• On Linux, entries with absolute paths are stripped of the root path separator prefix, converting them to relative paths (e.g., /etc/crontab -> etc/crontab).

Regardless of the BIT7Z_PATH_SANITIZATION setting:

• Entries with relative paths are rejected if their resolved path falls outside the output directory of the extraction operation (e.g., ../evil.txt), resulting in an extraction failure.
• The target path of symbolic link entries is sanitized in the same way as any other entry path and rejected if it points outside the output directory.

Other changes

• Added support for new archive formats (issue [Bug]: apfs format not being detected #311):
  • APFS
  • AVB
  • LVM
  • LP
  • Sparse
• Improved format detection of VHD/VHDX archives.
• Fixed missing read-only attribute after extracting Tar archives on Windows.
• Fixed and improved reading symbolic links for storing them in archives ([Bug]: Compile error when bit7z.lib is introduced into the project. #198 (comment)).
• Fixed automatically adding long paths prefix for long UNC paths.
• Fixed missing namespace scope when using some GUIDs.
• Fixed and updated CMake project version.
• Fixed compile options for MSVC Clang compatibility (issue [Bug]: Non-existent flags to clang-cl cause compilation failure #322).

---

Full Changelog: v4.0.10...v4.0.11

This is a maintenance release. For a full changelog of the other changes introduced by bit7z v4, please check https://github.com/rikyoz/bit7z/releases/tag/v4.0.0.

Binaries built using the default options with Clang10, GCC 9, MinGW 8, MSVC 2015, 2017, 2019, and 2022 👇

---

This discussion was created from the release Bit7z v4.0.11.