Thunderbird Installer can run untrusted program

RESOLVED FIXED in Thunderbird 19.0

Status

Thunderbird
Installer
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: standard8, Assigned: standard8)

Tracking

({sec-moderate})

Trunk
Thunderbird 19.0
x86
Windows 7
sec-moderate

Thunderbird Tracking Flags

(thunderbird16+ fixed, thunderbird17+ fixed, thunderbird18+ fixed, thunderbird-esr1016+ fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
See Bug 770478, the installer should quote the string around the path to actually launch Thunderbird and not something else.
(Assignee)

Comment 1

6 years ago
Created attachment 674618 [details] [diff] [review]
The fix

Rob, could you just check this for correctness? I think the shared.nsh changes are right but we just haven't ported bug 716045 yet.
Attachment #674618 - Flags: review?(robert.bugzilla)
(Assignee)

Updated

6 years ago
Assignee: nobody → mbanner
Comment on attachment 674618 [details] [diff] [review]
The fix

Looks good
Attachment #674618 - Flags: review?(robert.bugzilla) → review+
(Assignee)

Comment 3

6 years ago
Comment on attachment 674618 [details] [diff] [review]
The fix

[Triage Comment]
Ok, as this has unfortunately been long revealed, we're going to take it in the releases we're doing this week and get it fixed.
Attachment #674618 - Flags: approval-comm-release+
Attachment #674618 - Flags: approval-comm-esr10+
Attachment #674618 - Flags: approval-comm-beta+
Attachment #674618 - Flags: approval-comm-aurora+
(Assignee)

Updated

6 years ago
tracking-thunderbird-esr10: --- → 16+
(Assignee)

Updated

6 years ago
Target Milestone: --- → Thunderbird 19.0
(Assignee)

Comment 5

6 years ago
Also pushed to the relbranch for 10.0.10esr:

https://hg.mozilla.org/releases/comm-esr10/rev/dbd298bf5c74

I've also verified the fix on the trunk builds with the str in bug 770478 comment 6.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.