| Summary: | mingw-nsis new security issue fixed in 2.50 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | lewyssmith, mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/708363/ | ||
| Whiteboard: | advisory MGA5-64-OK | ||
| Source RPM: | mingw-nsis-2.46-13.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-12-07 20:37:00 CET
David Walser
2016-12-07 20:37:22 CET
CC:
(none) =>
mageia updated in updates_testing
src.rpm:
mingw-nsis-2.50-1.mga5Assignee:
thierry.vignaud =>
qa-bugs Advisory: ======================== Updated mingw-nsis package fixes security vulnerability: The Nullsoft Scriptable Install System version < 2.50 contains a DLL hijacking attack which allows administrative (root) level access on the target Windows system. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/ ======================== Updated packages in core/updates_testing: ======================== mingw-nsis-2.50-1.mga5 from mingw-nsis-2.50-1.mga5.src.rpm Advisory uploaded, but lacks CVE. Whiteboard:
(none) =>
advisory Curiouser & curiouser. Mageia 5 64-bit. From the Fedora reference, https://sourceforge.net/p/nsis/bugs/1125/?SetFreedomCookie provides a long detailed discussion of the problem; it has something to do with Windows installers. To test the water: $ urpmq -i mingw-nsis Dim pecyn o'r enw mingw-nsis [no package named...] # urpmi mingw-nsis Dim pecyn o'r enw mingw-nsis So is this update meaningful? Whiteboard:
advisory =>
advisory feedback I don't actually know why we have any mingw packages, since they are for Windows. It looks like your repositories got disabled or something. Just OK this if it installs/upgrades cleanly. Whiteboard:
advisory feedback =>
advisory Testing M5_64 Lots to note! The *package* is 'mingw32-nsis', the SRPM 'mingw-nsis'. Amending the title, will copy Comment 2 and adjust the advisory accordingly. Once installed, there is a host of stuff in /usr/share/nsis/ and /usr/share/doc/mingw-nsis/ Going for just a clean update with no attempt to use. BEFORE update: mingw32-nsis-2.46-13.mga5 $ makensis MakeNSIS v2.46 - Copyright 1995-2009 Contributors See the file COPYING for license details. Credits can be found in the Users Manual. Usage: makensis [option | script.nsi | - [...]] options are: ... AFTER update: mingw32-nsis-2.50-1.mga5 $ makensis MakeNSIS v2.50 - Copyright 1995-2015 Contributors See the file COPYING for license details. Credits can be found in the Users Manual. Usage: makensis [option | script.nsi | - [...]] options are: ... The two full screens are identical except for the initial version/date info. OKing & validating this M5-only update. Keywords:
(none) =>
validated_update Revising the Advisory in Comment 2 to refelct the actual package name. --- Advisory: ======================== Updated mingw-nsis package fixes security vulnerability: The Nullsoft Scriptable Install System version < 2.50 contains a DLL hijacking attack which allows administrative (root) level access on the target Windows system. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/ ======================== Updated packages in core/updates_testing: ======================== mingw32-nsis-2.50-1.mga5 from: mingw-nsis-2.50-1.mga5.src.rpm Actual advisory (19910.adv)
--------------------------
type: security
subject: Updated mingw32-nsis packages fix security vulnerability
src:
5:
core:
- mingw-nsis-2.50-1.mga5
description: |
The Nullsoft Scriptable Install System version < 2.50 contains a DLL
hijacking attack which allows administrative (root) level access on the
target Windows system.
references:
- https://bugs.mageia.org/show_bug.cgi?id=19910
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/
Lewis, please change it back to mingw-nsis, as that's the source RPM name. Summary:
mingw32-nsis new security issue fixed in 2.50 =>
mingw-nsis new security issue fixed in 2.50 An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0271.html Status:
NEW =>
RESOLVED (In reply to David Walser from comment #9) > Lewis, please change it back to mingw-nsis, as that's the source RPM name. Corrected the advisory 'subject' line back to just 'mingw-nsis'. I think that covers it. |