Impact
When manually importing a .mrpack file, path traversal was possible, and files could be downloaded by the launcher into places outside it's own directory using a specially crafted path string in the modrinth.index.json within the .mrpack file.
Patches
Upgrade to version 3.4.27.0 (the launcher auto updates itself as long as you're not using AUR or Flatpak)
Workarounds
Do not install any .mrpack modpack manually. Modpacks installed through the launchers Modrinth pack browser are safe.
References
https://docs.modrinth.com/docs/modpacks/format_definition/#files
Akarys42 Analyst
Impact
When manually importing a .mrpack file, path traversal was possible, and files could be downloaded by the launcher into places outside it's own directory using a specially crafted path string in the
modrinth.index.jsonwithin the .mrpack file.Patches
Upgrade to version 3.4.27.0 (the launcher auto updates itself as long as you're not using AUR or Flatpak)
Workarounds
Do not install any .mrpack modpack manually. Modpacks installed through the launchers Modrinth pack browser are safe.
References
https://docs.modrinth.com/docs/modpacks/format_definition/#files