The Linux Mint project has issued a new version of their file exchange program, Warpinator, to address a security vulnerability that could allow a sender to delete files on a recipient’s computer. Identified as CVE-2023-29380, the vulnerability was caused by the program transferring a list of basic catalogs along with the parameters of the file sent. Elements of the list were not checked for the presence of special systems, enabling a sender to indicate on the way and organize the removal of any catalogs on the recipient’s side. The issue is resolved in Warpinator 1.6.0, which also adds protection against similar problems in performing other operations.
Last year, a similar vulnerability (CVE-2022-4272) was discovered in Warpinator, allowing for the creation or modification of system files. The developers recommend using more stringent insulation technologies, such as the space of names of mounting points, to block access beyond the basic catalog in which the load is carried out.
When Warpinator is launched in confidence mode, the removal operation will be performed automatically. Otherwise, the user will be displayed a dialog to confirm the file operation. The vulnerability has now been eliminated with the release of Warpinator 1.6.0.