Closed Bug 1234401 (CVE-2017-7796) Opened 7 years ago Closed 5 years ago
Update logger can delete arbitrary files with the name "update
On Windows, the update logging system's initialization procedure includes a step that deletes the file that it plans to write to. The name of this file is hard coded as "update.log", but the path to it is read from the command line. The updater can be invoked through the maintenance service, so anyone able to execute that with the right command line can cause any file with the name update.log anywhere on the system to be deleted, using the very high privilege level that the service gets invoked at.
Note: this is a spinoff of bug 1212939 which makes it so only a file named update.log is affected. I am not sure there is a decent way to prevent this from happening at this time.
Matt, I'm thinking that it should be enough to just require that the path to the patch directory ends with updates\0 for this bug. What do you think?
Assignee: nobody → robert.strong.bugs
Status: NEW → ASSIGNED
Attachment #8860292 - Flags: feedback?(mhowell)
Comment on attachment 8860292 [details] [diff] [review] patch in progress Probably fine. This doesn't accomplish all that much, but I don't think this bug merits any more.
Attachment #8860292 - Flags: feedback?(mhowell) → feedback+
Try push https://treeherder.mozilla.org/#/jobs?repo=try&revision=cd4449e37c3fd49e7c3d0b5b211838c3c713ae55 I don't think this is worthwhile uplifting and will likely land this after the other security patches land in early May.
Forgot to update the test description. Comment only change
Attachment #8860567 - Attachment is obsolete: true
Attachment #8860565 - Flags: review?(mhowell)
Attachment #8860572 - Flags: review?(mhowell)
Also pushed to oak so I can manually verify
Attachment #8860565 - Flags: review?(mhowell) → review+
Attachment #8860572 - Flags: review?(mhowell) → review+
Comment on attachment 8860565 [details] [diff] [review] client patch rev1 Pushed to mozilla-inbound https://hg.mozilla.org/integration/mozilla-inbound/rev/212ac7e82d3287f884c0cbf34ec36bd4977f7e78
Comment on attachment 8860572 [details] [diff] [review] test patch rev1 Pushed to mozilla-inbound https://hg.mozilla.org/integration/mozilla-inbound/rev/10de1d8666abf1eb61a47545598aeec88222c49e I have patches for beta and esr that I will attach soon.
Whiteboard: [adv-main55+] → [adv-main55+][post-critsmash-triage]
You need to log in before you can comment on or make changes to this bug.