Hi everyone, some good news about PowerArchiver… I’ve managed to get in touch with the original developer of PowerArchiver, Ivan Petrovic, and he has confirmed that the product is not dead or abandoned, in fact it is still very much alive! There has been a hiatus over the past months for various reasons, but that we should expect to see stuff coming through in the coming months (hopefully the next 2 months).
The Windows 11 context menu for PowerArchiver on normal files (to be compressed, etc.) is now showing multiple tiers with two identical menus. See attached captures of the issue:
Screenshot 2025-01-08 082909.png
Screenshot 2025-01-08 082935.png
Screenshot 2025-01-08 082953.png
Edition Windows 11 Pro
Version 24H2
OS build 26100.2605
Hello!
I’ve just created SFX-Archives both from ZIP and 7z-Archives and none has an Icon as it seems.
I use the new version 22.00.11.
Zwischenablage_10-22-2024_01.jpg
Basically I used powerarchiver context menus to zip up a folder then i used windows 11 own built in zip extractor via the context menu to extract all and this is where it throw up a fault. , I’m using windows 11 .
The file that was a problem in the zip that windows 11 could not extract was iva “babe” cotton.jpg
I know it has non standard quotes in it.
However I had winrar on the computer and tried the exact same method with their context menu compress to zip and then I extracted the file with windows own extract all context menu and it had no problems. This indicates that powerarchiver is doing something different with iva “babe” cotton.jpg compressing to zip.
Then I changed iva “babe” cotton.jpg to iva babe cotton.jpg and compressed it with powerarchiver and then tried it with windows 11 extract all and had no problems. It looks like powerarchiver is doing something to that one file that has quotes in it.
Please note that powerarchiver extracted both zip files with no problems, only windows built in zip extraction had the fault. Reason I’m letting people know in case they send zip files with special characters in files names to people who do not have powerarchiver.
When will a fix be implemented?
On installing the program I am getting the error message:
"Unable to execute file c:\Program Files\PowerArchiver\pashutil.exe
CreateProcess failed: code 2
The system cannot find the file specified"
This can’t be right!
I am using the latest official build of Windows 11
Buttons are not properly aligned on About screen.
about window.png
Buttons not aligned on configuration window.
configbuttons.png
New version:
PowerArchiver 2023 - 22.00.10:
Download:
https://u.powerarchiver.com/pa2023/powarc220010.exe
New build for some bug fixes and issues - full list to come with new update. Please test and see if you have any issues.
Thanks everyone for your assistance!
New version:
PowerArchiver 2023 - 22.00.11:
Download:
https://u.powerarchiver.com/pa2023/powarc220011.exe
New build for some bug fixes and issues - full list to come with new update. Please test and see if you have any issues.
Thanks everyone for your assistance!
Just tried using the Modern (Windows 10) Icon set and seeing a few missing icons in both PowerArchiver Burner and PowerArchiver Encryption screens . They are all there in the Minimalistik icon set and the only difference I can see is the former is blue and the latter grey. In version 22.00.9
powerarc_2023-09-18_17-00-19.png
powerarc_2023-09-18_17-01-05.png
I had a large .tar file (a backed up WSL) and I want to delete a few directories and their contents from it using PA2023.
PA just destroys the whole archive as soon as I try to delete a directory, leaving it in a state where PA2023 won’t even open it any more.
I tried several times and also tried compressing it to .tar.xz instead - same result.
This should either actually work, or it should say operation not supported and do nothing.
Hello!
The regular version of PA 2023 is out for over 6 months now, but there is still no sign of the portable release.
(When) will there be one?
Thanks!
Hello!
Is there currently no portable version of PA2023 available?
(When) do you plan to release one?
Thanks!
Win 11 64 bit
I have some archives which have been encrypted, using the encrypt option either in pbs or when interactively creating a zip. When I open these, and look at files, I am asked for passwords, which I know, and then can view items or decrypt the files in the archive (tools>decrypt files).
However, when I use the Actions>Remove Archive Encryption (whether using the same zip or asking to write another), the routine shows progress bar to the end, but then just hangs i.e. “OK” never activates. All process information shows this stalled/hanging.
What can I do to sort this out?
For example:
Download this ZIP file: http://dslstats.me.uk/files/dslstats32W-6.5.zip
Everything in the ZIP file is in a directory “dslstats32W-6.5”.
However when I extract using right click “Extract Here” the name of the directory created is “2W-6.5” !
I am running PA 22.00.09 on Windows 11. I have seen the same happen with some other kinds of archive too.
Solved Security vulnerability in UnAceV2.dll
-
Hi,
I guess PowerArchiver and PACL are also affected by this:
https://research.checkpoint.com/extracting-code-execution-from-winrar/The vulnerability is inside UnAceV2.dll, which is also used by PowerArchiver and PACL.
As a result of these vulnerabilities, WinRAR dropped ACE support.Could you please have a look and also take action.
-
@BigMike We go the files from Christian over the weekend, but we could not reproduce them being sent to wrong path, so thank you for testing. We have issued updates for all PowerArchiver setups over the weekend, so you can get latest update via our website. Should be going up on PB later today.
-
@BigMike said in Security vulnerability in UnAceV2.dll:
Hi,
I guess PowerArchiver and PACL are also affected by this:
https://research.checkpoint.com/extracting-code-execution-from-winrar/The vulnerability is inside UnAceV2.dll, which is also used by PowerArchiver and PACL.
As a result of these vulnerabilities, WinRAR dropped ACE support.Could you please have a look and also take action.
someone already reported it to us via email… preliminary look says that at very minimum we are not affected in the same way (we cant reproduce it on our system yet), but need to test more.
Main problem is path handling, and with proper filtering from our side, it should not be an issue. Of course, easiest action is to simply delete ace dll and do no work other than that.
-
Thank you for the quick response.
It’s really nice to hear, that you’re already aware and testing.
For sure, having a workaround and keep ACE support would be the preferable over removing the dll and abandoning ACE archives completely. -
@BigMike said in Security vulnerability in UnAceV2.dll:
Thank you for the quick response.
It’s really nice to hear, that you’re already aware and testing.
For sure, having a workaround and keep ACE support would be the preferable over removing the dll and abandoning ACE archives completely.it is “easier” if they find something in PA specifically, since we get full report that is not published and example of archive that reproduces the issue.
edit: also they give between 20 and 40 days time between reporting the issue (to WinRar) and publishing it (today). So WR team knew about this 20-40 days ago.
-
Sure, I guess almost any product supporting ACE archives could be affected, as most of them will rely on the provided closed source UnAceV2.dll instead of trying to implement an own solution.
But as I’m using your products and not any other, my primary interest is, that you are aware of the issue and ensuring, that your products are save. And I know it will be hard, if you don’t have an example to test the issue.
To be honest, I used WinAce myself a long time ago, but I doubt I have any ACE archives around. So I guess dropping support is really a good option if it would take much work to mitigate the issue. There are really good alternatives available now. Your PA format for own use - or 7z if you like to use a “common” format.
-
@BigMike said in Security vulnerability in UnAceV2.dll:
Sure, I guess almost any product supporting ACE archives could be affected
every product has different path filtering already, it was a problem showing up many times before with various different formats.
Question is just what else can be found… we will be removing ace support until we can add our new dll.
-
Hi,
just to let you know:
If you can’t get the original example from CheckPoint, maybe you’ll like to contact the author of Total Commander.In this forum post the author of Total Commander tells, that he managed to create a test archive on his own and also already found a workaround.
In the very same thread, he published his example.My results with:
PowerArchiver 2018 x64 18.01.04 and its Shell Extension (“extract here” and “extract to <archive name>”):
There, the file seems to be simply skipped (but I get no error, that there was something wrong)PowerArchiver 2019 x86 19.00.30 and its Shell Extension
Shell Extension: Gives me errors, but extracts the file to the traversal path and therefore is affected (both cases)
PowerArchiver: Also gives me an error, but then extracts the file to the traversal path and is affected.
With PACL 9.00b
paext64 seems also to skip the file
paext32 extracts the file to the very same folder (ignoring the traversal path) -
@BigMike We go the files from Christian over the weekend, but we could not reproduce them being sent to wrong path, so thank you for testing. We have issued updates for all PowerArchiver setups over the weekend, so you can get latest update via our website. Should be going up on PB later today.
-
Did you test with a x86 OS/PowerArchiver. As I wrote, I was able to reproduce the issue (only) in the x86 version.
But thank you for your quick action.
-
@BigMike said in Security vulnerability in UnAceV2.dll:
Did you test with a x86 OS/PowerArchiver. As I wrote, I was able to reproduce the issue (only) in the x86 version.
But thank you for your quick action.
yeah, ace.dll was 32bit only so it worked in 32bit versions of PA only. But couldnt reproduce it, regardless of that we have removed it for now. Thanks for the testing and checking!
-
Actually, the new behavior may lead to some confusion if a user doesn’t know about this issue.
The new versions can open ACE archives and display the contents. (I guess, this is your own code).
Trying to extract via command line (PACL), shell extension or dialogs (PowerArchiver) fails silently without an error/information message.Trying to extract via drag and drop will create 0 byte files, while the correct file sizes are displayed in the archive. Again, no error/information message.
Could you please either add a message or remove the support for this format completely?
-
FWIW, I have been heavily into computing since April 1992 and was online well before the internet was even around and have never come across an ACE archive.
-
I used ACE format for my own file storage, years ago. There was a time, when ACE had very good compression ratios compared to other formats.
But as you say, it was pretty unknown for most people and therefore not suited for common file exchange. As 7z is wide spread and has good ratios, I mostly use this format.But this doesn’t change the point of my last post. At least a message should be displayed, that extracting files from ACE archives isn’t supported anymore, to not confuse users.
-
-
@spwolf Just to let you know:
ghisler, the author of Total Commander, managed to patch UnAceV2.dll, so that the path traversal attacks fail:
Post with the patched dllExplanation, what was changed (German)
You wrote, you weren’t able to reproduce the issue at all.
I was able to reproduce it with ghisler’s test file (just rechecked with PA 19.00.30, x86)…
I’ve tested his patched dll with the very same version. The issue seems to be fixed here.
The extraction of a malicious ace file silently fails as described. A “good” ace archive extracts as expected.I’m not sure if adding ACE support again, is wise.
It’s an pretty old format and maybe the next vulnerability couldn’t be fixed, as there’s no source code for the dll and no official support for years. And it’s not working in x64 anyway.But if you like, there would be a possibility.
-
@BigMike Christian sent us that patch info right away, super nice guy, but for us the problem is as you say that someone could discover some other vulnerability and we would have the same problem, so it is too risk for , as you say, an old little used format that doesnt work on x64 anyway.
thanks!
-
Thank you for sharing the information it was helpful.
