Closed
Bug 804971
Opened 13 years ago
Closed 13 years ago
Thunderbird Installer can run untrusted program
Categories
(Thunderbird :: Installer, defect)
Tracking
(thunderbird16+ fixed, thunderbird17+ fixed, thunderbird18+ fixed, thunderbird-esr1016+ fixed)
People
(Reporter: standard8, Assigned: standard8)
Details
(Keywords: sec-moderate)
Attachments
(1 file)
|
1.98 KB,
patch
|
robert.strong.bugs
:
review+
standard8
:
approval-comm-aurora+
standard8
:
approval-comm-beta+
standard8
:
approval-comm-release+
standard8
:
approval-comm-esr10+
|
Details | Diff | Splinter Review |
See Bug 770478, the installer should quote the string around the path to actually launch Thunderbird and not something else.
|
Assignee | |
Comment 1•13 years ago
|
||
Rob, could you just check this for correctness? I think the shared.nsh changes are right but we just haven't ported bug 716045 yet.
Attachment #674618 -
Flags: review?(robert.bugzilla)
|
|
Assignee | |
Updated•13 years ago
|
Assignee: nobody → mbanner
|
||
Comment 2•13 years ago
|
||
Comment on attachment 674618 [details] [diff] [review]
The fix
Looks good
Attachment #674618 -
Flags: review?(robert.bugzilla) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
Comment on attachment 674618 [details] [diff] [review]
The fix
[Triage Comment]
Ok, as this has unfortunately been long revealed, we're going to take it in the releases we're doing this week and get it fixed.
Attachment #674618 -
Flags: approval-comm-release+
Attachment #674618 -
Flags: approval-comm-esr10+
Attachment #674618 -
Flags: approval-comm-beta+
Attachment #674618 -
Flags: approval-comm-aurora+
|
|
Assignee | |
Updated•13 years ago
|
tracking-thunderbird-esr10:
--- → 16+
|
|
Assignee | |
Comment 4•13 years ago
|
||
https://hg.mozilla.org/comm-central/rev/477e78b3b2cb
https://hg.mozilla.org/releases/comm-aurora/rev/6726e97a0d3c
https://hg.mozilla.org/releases/comm-beta/rev/18f28032dc59
https://hg.mozilla.org/releases/comm-release/rev/234a03980b2b
The esr patch doesn't have the
https://hg.mozilla.org/releases/comm-esr10/rev/6c5e9520517a
status-thunderbird16:
--- → fixed
status-thunderbird17:
--- → fixed
status-thunderbird18:
--- → fixed
status-thunderbird-esr10:
--- → fixed
|
|
Assignee | |
Updated•13 years ago
|
Target Milestone: --- → Thunderbird 19.0
|
|
Assignee | |
Comment 5•13 years ago
|
||
Also pushed to the relbranch for 10.0.10esr:
https://hg.mozilla.org/releases/comm-esr10/rev/dbd298bf5c74
I've also verified the fix on the trunk builds with the str in bug 770478 comment 6.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•