Today we got to talk about security vulnerability that was reported to FireGiant. In fact, it was the only new issue we had to triage. So let's get into it.
DTF security vulnerability
In addition to DTF's support for .NET Framework-based managed-code custom actions, it also includes libraries that are generally useful for setup-related development and even only-tangentially-related-to-setup development. One of those libraries lets you process .cab and .zip archives, including extracting files to disk. Inside a .zip archive, however, files can be stored with relative paths; that's great to support files in subdirectories but also allows an archvillain to create a .zip file that uses
.. to "escape" the directory the archive is being extracted to. This could allow the archvillain to overwrite files, even protected operating system files if you were for some crazy reason extracting files while elevated. This kind of vulnerability is charmingly referred to as "Zip Slip."
FireGiant volunteered Rob's time to fix the bug. It turned out to be a fairly straightforward fix, which you can see in the pull request. As you can see in the WIP (WiX Improvement Proposal), this is a breaking change if you were relying on the old behavior of being able to extract files with
Releases of WiX v3.14 and v3.11.2 with the fix included will come out within the next week. Check back here on Setup Matters for details when they're available.