Linkr is a lightweight file delivery system that downloads files from a webserver. This vulnerability allows an attacker to inject arbitrary files into a package distribution, potentially leading to remote code execution if the malicious binary or script is executed.
You're affected if you use Linkr. Affected versions: 2.0.0 If you don't recognise this software, you're probably not affected.
Upgrade to Linkr version 2.0.1 or later.
- For immediate mitigations:
- Avoid using .linkr files from untrusted sources (e.g., curl https://example.com/linkr-manifest).
- Manually verify manifest integrity before running extract with the command sha256sum linkr-manifest.
- Host manifests only on trusted servers until a fix is released.