SeaMonkey Installer can run untrusted program

RESOLVED FIXED in seamonkey2.16

Status

defect
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: mcsmurf, Assigned: mcsmurf)

Tracking

({sec-moderate})

Trunk
seamonkey2.16
x86_64
Windows 7

Firefox Tracking Flags

(firefox-esr10 unaffected, firefox-esr17 unaffected, seamonkey2.13 fixed, seamonkey2.14+ fixed, seamonkey2.15 fixed, seamonkey2.16 fixed)

Details

Attachments

(1 attachment)

See Bug 770478, the installer should quote the string around the path to actually launch SeaMonkey and not something else.
Posted patch PatchSplinter Review
Easy to review, fixes a small security issue (the launched app runs as app with normal user privs, not with escalated admin privs).
Assignee: installer → bugzilla
Status: NEW → ASSIGNED
Attachment #673780 - Flags: review?(neil)
Attachment #673780 - Flags: review?(neil) → review+
Comment on attachment 673780 [details] [diff] [review]
Patch

[Approval Request Comment]
Regression caused by (bug #): -
User impact if declined: Small security risk for users
Testing completed (on m-c, etc.): Patch has been tested locally and it fixes the bug: Without the patch the installer launches the program C:\program.exe (as an example), with the patch the installer launches SeaMonkey
Risk to taking this patch (and alternatives if risky): Very low risk, the patch just quotes a string before handing it over to another routine
String changes made by this patch: none
Attachment #673780 - Flags: approval-comm-beta?
Attachment #673780 - Flags: approval-comm-aurora?
Comment on attachment 673780 [details] [diff] [review]
Patch

Review of attachment 673780 [details] [diff] [review]:
-----------------------------------------------------------------

I'm about to land to beta, but please also land on our comm-release tree, we're spinning a 2.13.2 (if for no other reason than our Addressbook failure, and I see no reason this fix shouldn't ride along)
Attachment #673780 - Flags: approval-comm-release+
Attachment #673780 - Flags: approval-comm-beta?
Attachment #673780 - Flags: approval-comm-beta+
Attachment #673780 - Flags: approval-comm-aurora?
Attachment #673780 - Flags: approval-comm-aurora+
Dan/Al,

This is a heads up that SeaMonkey is taking this sec-bug in SeaMonkey 2.13.2 [to coincide with Firefox/TB 16.0.2 release]

This particular bug corresponds with http://www.mozilla.org/security/announce/2012/mfsa2012-67.html which is already publically announced, just something that we missed along the way. I will *make sure* it is in our release, even though its not landed yet.
Group: core-security
(In reply to Justin Wood (:Callek) from comment #3)
> we're spinning a 2.13.2 (if for no other reason than our Addressbook
> failure, and I see no reason this fix shouldn't ride along)

You're also including the Location bug fixes bholley is landing, I hope?
Pushed to comm-central: http://hg.mozilla.org/comm-central/rev/72c147a54bd2
Pushed to comm-aurora: http://hg.mozilla.org/releases/comm-aurora/rev/1ed5fc6ff7b0
Pushed to comm-release: http://hg.mozilla.org/releases/comm-release/rev/43896486d517
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.16
(In reply to Justin Wood (:Callek) from comment #4)
> Dan/Al,
> 
> This is a heads up that SeaMonkey is taking this sec-bug in SeaMonkey 2.13.2
> [to coincide with Firefox/TB 16.0.2 release]
> 
> This particular bug corresponds with
> http://www.mozilla.org/security/announce/2012/mfsa2012-67.html which is
> already publically announced, just something that we missed along the way. I
> will *make sure* it is in our release, even though its not landed yet.

Do we need to update the advisory for 67?
(In reply to Al Billings [:abillings] from comment #8)
> (In reply to Justin Wood (:Callek) from comment #4)
> > Dan/Al,
> > 
> > This is a heads up that SeaMonkey is taking this sec-bug in SeaMonkey 2.13.2
> > [to coincide with Firefox/TB 16.0.2 release]
> > 
> > This particular bug corresponds with
> > http://www.mozilla.org/security/announce/2012/mfsa2012-67.html which is
> > already publically announced, just something that we missed along the way. I
> > will *make sure* it is in our release, even though its not landed yet.
> 
> Do we need to update the advisory for 67?

Yes, To add SeaMonkey 2.13.2, and to list it in SeaMonkey 2.13.2's fixes list.

To deploy to the advisory list along with Firefox 16.0.2's changes.

Dan might have a declaration to issue a new mfsa for SeaMonkey's fix of the same issue however, I'll let him declare that if he thinks so though -- I'm happy to defer that choice
(In reply to Al Billings [:abillings] from comment #8)
> Do we need to update the advisory for 67?

I think you also need to update the advisory for Thunderbird, see Bug 804971 (I cannot access the bug, but I saw the check-in two days or so ago). This issue has not been fixed in TB 15, but will be fixed in the next TB release.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.