Dink Smallwood HD v1.91 – CVE-2018-0496
June 8th, 2018So, a couple weeks ago, Beuc contacted Seth Robinson and I about a directory traversal security flaw with Dink Smallwood D-Mods. The software that is used to unzip D-Mods (from bzip2 format) did not protect against unzipping files up-and-out-of the D-Mod destination directory, potentially allowing D-Mods to overwrite arbitrary user files on a hard drive.
Yikes!
I helped confirm that no current D-Mods exploited this functionality, as well as perform Windows testing and point out potential corner-cases.
And, now, Dink Smallwood HD v1.91 is available for everyone to download, now without any security vulnerabilities.
Coincidentally, after we had begun work and a few days before the fixes were published, the Zip Slip Vulnerability was fairly widely advertised. Beuc assured me this was a coincidence.
For more details on CVE-2018-0496, see Mageia.