Closed Bug 843770 Opened 11 years ago Closed 11 years ago

Call SetDllDirectory(L"") as a precaution in updater

Categories

(Toolkit :: Application Update, defect)

18 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox20 --- affected
firefox21 - affected
firefox22 --- fixed
firefox-esr17 - wontfix
b2g18 --- unaffected

People

(Reporter: bbondy, Assigned: bbondy)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main22-])

Attachments

(1 file)

There are no known security attaccks, but it's a good idea to call SetDllDirectory("") as a precaution. This call will remove the current directory for dynamically loaded DLLs if we ever introduce the use of some.
Attached patch Patch v1.Splinter Review
I decided to put it here because that way we don't need extra ugly ifdef's inside updater.cpp. This file is already windows only and it is called before main() is even entered.
Attachment #716728 - Flags: review?(robert.bugzilla)
No longer depends on: CVE-2013-0797
Attachment #716728 - Flags: review?(robert.bugzilla) → review+
https://hg.mozilla.org/mozilla-central/rev/3e5f2cfbf3b4
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
I don't think we need it uplifted anywhere since there is no specific known attack we're protecting against.
(In reply to Brian R. Bondy [:bbondy] from comment #5)
> I don't think we need it uplifted anywhere since there is no specific known
> attack we're protecting against.

Sounds reasonable, especially since this is sec-moderate.
Whiteboard: [adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: