Bug 19910 - mingw-nsis new security issue fixed in 2.50
Summary: mingw-nsis new security issue fixed in 2.50
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/708363/
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-12-07 20:37 CET by David Walser
Modified: 2017-08-17 09:59 CEST (History)
3 users (show)

See Also:
Source RPM: mingw-nsis-2.46-13.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-12-07 20:37:00 CET 
Fedora has issued an advisory on December 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/

I don't know if we actually need to fix it, but there it is.

Cauldron already has 2.50.
David Walser 2016-12-07 20:37:22 CET

CC: (none) => mageia

Comment 1 Nicolas Lécureuil 2017-08-11 15:26:02 CEST 
updated in updates_testing

src.rpm:
         mingw-nsis-2.50-1.mga5

Assignee: thierry.vignaud => qa-bugs

Comment 2 David Walser 2017-08-11 15:53:41 CEST 
Advisory:
========================

Updated mingw-nsis package fixes security vulnerability:

The Nullsoft Scriptable Install System version < 2.50 contains a DLL hijacking
attack which allows administrative (root) level access on the target Windows
system.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/
========================

Updated packages in core/updates_testing:
========================
mingw-nsis-2.50-1.mga5

from mingw-nsis-2.50-1.mga5.src.rpm
Comment 3 Lewis Smith 2017-08-13 09:59:21 CEST 
Advisory uploaded, but lacks CVE.

Whiteboard: (none) => advisory
CC: (none) => lewyssmith

Comment 4 Lewis Smith 2017-08-14 21:25:11 CEST 
Curiouser & curiouser. Mageia 5 64-bit.

From the Fedora reference,
 https://sourceforge.net/p/nsis/bugs/1125/?SetFreedomCookie
provides a long detailed discussion of the problem; it has something to do with Windows installers.
To test the water:
 $ urpmq -i mingw-nsis
 Dim pecyn o'r enw mingw-nsis         [no package named...]
 # urpmi mingw-nsis
 Dim pecyn o'r enw mingw-nsis
So is this update meaningful?

Whiteboard: advisory => advisory feedback

Comment 5 David Walser 2017-08-14 21:48:45 CEST 
I don't actually know why we have any mingw packages, since they are for Windows.  It looks like your repositories got disabled or something.  Just OK this if it installs/upgrades cleanly.

Whiteboard: advisory feedback => advisory

Comment 6 Lewis Smith 2017-08-15 19:25:17 CEST 
Testing M5_64

Lots to note! The *package* is 'mingw32-nsis', the SRPM 'mingw-nsis'.
Amending the title, will copy Comment 2 and adjust the advisory accordingly.
Once installed, there is a host of stuff in /usr/share/nsis/ and
/usr/share/doc/mingw-nsis/

Going for just a clean update with no attempt to use.

BEFORE update: mingw32-nsis-2.46-13.mga5
 $ makensis
MakeNSIS v2.46 - Copyright 1995-2009 Contributors
See the file COPYING for license details.
Credits can be found in the Users Manual.

Usage:
  makensis [option | script.nsi | - [...]]
   options are:
...

AFTER update: mingw32-nsis-2.50-1.mga5
 $ makensis
MakeNSIS v2.50 - Copyright 1995-2015 Contributors
See the file COPYING for license details.
Credits can be found in the Users Manual.

Usage:
  makensis [option | script.nsi | - [...]]
   options are:
...

The two full screens are identical except for the initial version/date info.

OKing & validating this M5-only update.

Keywords: (none) => validated_update
Summary: mingw-nsis new security issue fixed in 2.50 => mingw32-nsis new security issue fixed in 2.50
Whiteboard: advisory => advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Lewis Smith 2017-08-15 19:29:59 CEST 
Revising the Advisory in Comment 2 to refelct the actual package name.
---
Advisory:
========================
Updated mingw-nsis package fixes security vulnerability:

The Nullsoft Scriptable Install System version < 2.50 contains a DLL hijacking
attack which allows administrative (root) level access on the target Windows
system.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/
========================
Updated packages in core/updates_testing:
========================
mingw32-nsis-2.50-1.mga5

from: mingw-nsis-2.50-1.mga5.src.rpm
Comment 8 Lewis Smith 2017-08-15 19:43:22 CEST 
Actual advisory (19910.adv)
--------------------------
type: security
subject: Updated mingw32-nsis packages fix security vulnerability
src:
  5:
   core:
     - mingw-nsis-2.50-1.mga5
description: |
  The Nullsoft Scriptable Install System version < 2.50 contains a DLL
  hijacking attack which allows administrative (root) level access on the
  target Windows system.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=19910
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2762LYQBZ3FBEJYN5TJH55CB2C27LLI/
Comment 9 David Walser 2017-08-15 21:19:18 CEST 
Lewis, please change it back to mingw-nsis, as that's the source RPM name.

Summary: mingw32-nsis new security issue fixed in 2.50 => mingw-nsis new security issue fixed in 2.50

Comment 10 Mageia Robot 2017-08-16 02:01:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0271.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 11 Lewis Smith 2017-08-17 09:59:27 CEST 
(In reply to David Walser from comment #9)
> Lewis, please change it back to mingw-nsis, as that's the source RPM name.
Corrected the advisory 'subject' line back to just 'mingw-nsis'. I think that covers it.
Note You need to log in before you can comment on or make changes to this bug.