WiX v3.11.2 is a minor security release of WiX. If your application directly references Microsoft.Deployment.Compression.Cab.dll or Microsoft.Deployment.Compression.Zip.dll to decompress cabinet or zip files to a folder, you should upgrade to this release. Otherwise, feel free to stay with WiX v3.11.1.
This security release addresses a "Zip Slip" vulnerability in the decompression code provided by DTF, specifically: Microsoft.Deployment.Compression.Cab.dll and Microsoft.Deployment.Compression.Zip.dll. "Zip Slip" occurs when a malicious archive (cabinet or zip) file contains a filename with traversal paths (
..\) such that vulnerable decompression code could overwrite files unexpectedly. See the WIP for more details.
We developed a targeted fix in the shared functionality for cabinet and zip file compression and decompression. Again, if your project references Microsoft.Deployment.Compression.Cab.dll or Microsoft.Deployment.Compression.Zip.dll then you will want to upgrade to WiX v3.11.2. There are no other changes in WiX v3.11.2.
The vulnerability was first reported to us by Devin Casadey of Secureworks. We appreciate the professionalism and completeness of his security report.