Statement on security report regarding #ZipGenius appeared on "Exp

[ZipGenius]

Last week we got some mail from users that were telling us about an entry in the "Exploit Database" archive. The report is stating that ZipGenius 6.3.2.3000 is affected by a "buffer overflow exploit" that could execute arbitrary code. Putting aside the fact the author of that report didn't respect the good habit to contact the developer when a new security issue is found, that statement is just "useless" and "not entirely true" for the following reasons:
1) the Python code attached to that report produces a specially crafted ZIP archive that contains only a file whose filename is longer than 255 characters. This was a VERY OLD ISSUE found in many zip utilities (including ZipGenius); in our case, we solved it by putting a check on filenames length while reading the file list of an archive: if a filename is longer than 255 chars, ZipGenius alerts the user about the potential danger and disables every extraction feature in order to avoid the related consequences. In other words, the report didn't uncover anything new.
2) we compiled a specific build of ZipGenius that didn't have the security check enabled and we tried to extract the specially crafted file in a sandboxed environment because we wanted if ZipGenius could really crash and run "calc.exe". Well... It didn't work: ZipGenius just crashed but no calculator popped up. But wasn't the exploit supposed to execute arbitrary code upon crash? Yes, it was but it does it only if you attach a debugger application, which is a developer utility that can take over the execution of an application and let the developer investigate on bugs and other issues: this is done by slowing down the execution time of an application. We attached the zipgenius.exe file to a debugger software and repeated the test until the program crashed as expected. At that point, the debugger kicked in showing every useful data for the developer and the Windows Calculator magically appeared. That was the only condition that let us see the the result of the exploit as reported. In few words, then, the exploit is just a proof of concept working only in given circumstances and not in common conditions, but remember: ZipGenius is protecting you against this exploit since 2003, just as explained above.
3) The ZipGenius Team is always committed to produce safe software but we cannot know about every kind of exploit of similar isues in the world: users and researchers contributions are really precious for us, so if you find any potential security issue, please don't imitate the author of that report, contact us and we will find together if that issues could be really harmful or not.

The ZipGenius Team