Fedora has issued an advisory on December 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/ I don't know if we actually need to fix it, but there it is. Cauldron already has 2.50.
CC: (none) => mageia
updated in updates_testing src.rpm: mingw-nsis-2.50-1.mga5
Assignee: thierry.vignaud => qa-bugs
Advisory: ======================== Updated mingw-nsis package fixes security vulnerability: The Nullsoft Scriptable Install System version < 2.50 contains a DLL hijacking attack which allows administrative (root) level access on the target Windows system. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/ ======================== Updated packages in core/updates_testing: ======================== mingw-nsis-2.50-1.mga5 from mingw-nsis-2.50-1.mga5.src.rpm
Advisory uploaded, but lacks CVE.
Whiteboard: (none) => advisoryCC: (none) => lewyssmith
Curiouser & curiouser. Mageia 5 64-bit. From the Fedora reference, https://sourceforge.net/p/nsis/bugs/1125/?SetFreedomCookie provides a long detailed discussion of the problem; it has something to do with Windows installers. To test the water: $ urpmq -i mingw-nsis Dim pecyn o'r enw mingw-nsis [no package named...] # urpmi mingw-nsis Dim pecyn o'r enw mingw-nsis So is this update meaningful?
Whiteboard: advisory => advisory feedback
I don't actually know why we have any mingw packages, since they are for Windows. It looks like your repositories got disabled or something. Just OK this if it installs/upgrades cleanly.
Whiteboard: advisory feedback => advisory
Testing M5_64 Lots to note! The *package* is 'mingw32-nsis', the SRPM 'mingw-nsis'. Amending the title, will copy Comment 2 and adjust the advisory accordingly. Once installed, there is a host of stuff in /usr/share/nsis/ and /usr/share/doc/mingw-nsis/ Going for just a clean update with no attempt to use. BEFORE update: mingw32-nsis-2.46-13.mga5 $ makensis MakeNSIS v2.46 - Copyright 1995-2009 Contributors See the file COPYING for license details. Credits can be found in the Users Manual. Usage: makensis [option | script.nsi | - [...]] options are: ... AFTER update: mingw32-nsis-2.50-1.mga5 $ makensis MakeNSIS v2.50 - Copyright 1995-2015 Contributors See the file COPYING for license details. Credits can be found in the Users Manual. Usage: makensis [option | script.nsi | - [...]] options are: ... The two full screens are identical except for the initial version/date info. OKing & validating this M5-only update.
Keywords: (none) => validated_updateSummary: mingw-nsis new security issue fixed in 2.50 => mingw32-nsis new security issue fixed in 2.50Whiteboard: advisory => advisory MGA5-64-OKCC: (none) => sysadmin-bugs
Revising the Advisory in Comment 2 to refelct the actual package name. --- Advisory: ======================== Updated mingw-nsis package fixes security vulnerability: The Nullsoft Scriptable Install System version < 2.50 contains a DLL hijacking attack which allows administrative (root) level access on the target Windows system. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/ ======================== Updated packages in core/updates_testing: ======================== mingw32-nsis-2.50-1.mga5 from: mingw-nsis-2.50-1.mga5.src.rpm
Actual advisory (19910.adv) -------------------------- type: security subject: Updated mingw32-nsis packages fix security vulnerability src: 5: core: - mingw-nsis-2.50-1.mga5 description: | The Nullsoft Scriptable Install System version < 2.50 contains a DLL hijacking attack which allows administrative (root) level access on the target Windows system. references: - https://bugs.mageia.org/show_bug.cgi?id=19910 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/
Lewis, please change it back to mingw-nsis, as that's the source RPM name.
Summary: mingw32-nsis new security issue fixed in 2.50 => mingw-nsis new security issue fixed in 2.50
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0271.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #9) > Lewis, please change it back to mingw-nsis, as that's the source RPM name. Corrected the advisory 'subject' line back to just 'mingw-nsis'. I think that covers it.