DENIAL OF SERVICE AND ARBITRARY CODE EXECUTION VULNERABILITIES IN 7-ZIP
Can you please verify the issue - does the new version installed successfully, does Kaspersky Total Security v2017 correctly re-scanned the new version of the 7z.exe file?
I've re-checked the last version of PeaZip comes with 7z 16.02, while the bug apply to 7z up to 15.05, so it should not apply to PeaZip 6.1.0.
Scanning with various engines (including Kaspersky) the 32 bit version (as in your example) of the 7z.exe file included in PeaZip 6.1.0, does not raise warnings - see in example Virustotal meta-scan result https://www.virustotal.com/it/file/3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6/analysis/1473355660/
The date/time (2016 05 21 10:42:02) and SHA256 hash value (3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6) for the 7z.exe file included in PeaZip 6.1.0 32 bit are the correct ones for 7z 16.02, can you please verify if it matches on your side?
The new version is installed on my computer, I removed the AppData, updated my virus databases, but I'm still getting this vulnerability shown.
It is a false positive, please verify the hash of the 7z.exe file Kaspersky is reporting as vulnerable. SHA256 shows the last PeaZip 6.1.0 package contains last 7z.exe (16.02, not having the bug, which Kaspersky documentation reports applying up to 15.05 version), so Kaspersky is either detecting a wrong version of the file, or is (incorrectly) reporting the vulnerability for 7z.exe versions past 15.05. It can be verified installing last 7-Zip (as recommended by Kaspersky), 7z.exe has the same hash as the one in PeaZip 6.1.0. Accordingly its own documentation Kaspersky should not mark none of the two files.
MD5: 3076261eec489e4a2b2ead58a66a4b4e
PeaZip Version: 6.0.1 r20160208 Pea Version: 0.54 7z Version: 16.00 PAQ8F(etc.) Version: 7.05 Strip + UPX Version: 3.91 QUAD Version: 1.12 BALZ Version: 1.15 BCM Version: 1.0 FreeArc Version: 0.67a
EDIT: PeaZip Version: 6.1.0
7z.exe CRC32: 48E80CBF MD5: A10BF0E8D40B78C8B0B43A6A6FED9207 You can verify this is exactly the 7z.exe file in last 7-Zip release. Kaspersky documentation says this version is safe: bug description says it affects up to 15.05 version, and it actually points to download this new version (you can verify downloading it and getting the checksum/hash value). So, it is either erroneous the documentation (in this case Kaspersky scanner must report the vulnerability both for last PeaZip and for last 7-Zip - actually, for any version after 15.05), or its is erroneous the detection: since all scans on this file reports it as safe odds are for a simple false positive case. In both cases, this error should be reported to Kaspersky - I'll try to contact their team. https://www.virustotal.com/it/file/3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6/analysis/ shows the scan of the file with 56 engines correctly configured and with last updates applied (including Kaspersky) showing this file is secure.
PeaZip
Kaspersky Total Security v2017 is seeing a software vulnerability in PeaZip located at C:\Program Files (x86)\PeaZip\res\7z\7z.exe.
It is recognizing the vulnerability in 7-Zip that comes pre-packaged with PeaZip in which improper processing of UDF files was found in 7zip. By exploiting this vulnerability malicious users can cause a denial of service or execute arbitrary code. This vulnerability can be exploited remotely via specially crafted UDF file.
See https://threats.kaspersky.com/en/vulnerability/KLA10823 for more info.
PS: I updated to the latest version of PeaZip and this vulnerability is still detected. This needs to be fixed!