Closed Bug 804971 Opened 8 years ago Closed 8 years ago

Thunderbird Installer can run untrusted program

Categories

(Thunderbird :: Installer, defect)

x86
Windows 7
defect
Not set
normal

Tracking

(thunderbird16+ fixed, thunderbird17+ fixed, thunderbird18+ fixed, thunderbird-esr1016+ fixed)

RESOLVED FIXED
Thunderbird 19.0
Tracking Status
thunderbird16 + fixed
thunderbird17 + fixed
thunderbird18 + fixed
thunderbird-esr10 16+ fixed

People

(Reporter: standard8, Assigned: standard8)

Details

(Keywords: sec-moderate)

Attachments

(1 file)

See Bug 770478, the installer should quote the string around the path to actually launch Thunderbird and not something else.
Attached patch The fixSplinter Review
Rob, could you just check this for correctness? I think the shared.nsh changes are right but we just haven't ported bug 716045 yet.
Attachment #674618 - Flags: review?(robert.bugzilla)
Assignee: nobody → mbanner
Comment on attachment 674618 [details] [diff] [review]
The fix

Looks good
Attachment #674618 - Flags: review?(robert.bugzilla) → review+
Comment on attachment 674618 [details] [diff] [review]
The fix

[Triage Comment]
Ok, as this has unfortunately been long revealed, we're going to take it in the releases we're doing this week and get it fixed.
Attachment #674618 - Flags: approval-comm-release+
Attachment #674618 - Flags: approval-comm-esr10+
Attachment #674618 - Flags: approval-comm-beta+
Attachment #674618 - Flags: approval-comm-aurora+
Target Milestone: --- → Thunderbird 19.0
Also pushed to the relbranch for 10.0.10esr:

https://hg.mozilla.org/releases/comm-esr10/rev/dbd298bf5c74

I've also verified the fix on the trunk builds with the str in bug 770478 comment 6.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.