Closed
Bug 804971
Opened 12 years ago
Closed 12 years ago
Thunderbird Installer can run untrusted program
Categories
(Thunderbird :: Installer, defect)
Tracking
(thunderbird16+ fixed, thunderbird17+ fixed, thunderbird18+ fixed, thunderbird-esr1016+ fixed)
People
(Reporter: standard8, Assigned: standard8)
Details
(Keywords: sec-moderate)
Attachments
(1 file)
1.98 KB,
patch
|
robert.strong.bugs
:
review+
standard8
:
approval-comm-aurora+
standard8
:
approval-comm-beta+
standard8
:
approval-comm-release+
standard8
:
approval-comm-esr10+
|
Details | Diff | Splinter Review |
See Bug 770478, the installer should quote the string around the path to actually launch Thunderbird and not something else.
Assignee | ||
Comment 1•12 years ago
|
||
Rob, could you just check this for correctness? I think the shared.nsh changes are right but we just haven't ported bug 716045 yet.
Attachment #674618 -
Flags: review?(robert.bugzilla)
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → mbanner
Comment 2•12 years ago
|
||
Comment on attachment 674618 [details] [diff] [review] The fix Looks good
Attachment #674618 -
Flags: review?(robert.bugzilla) → review+
Assignee | ||
Comment 3•12 years ago
|
||
Comment on attachment 674618 [details] [diff] [review] The fix [Triage Comment] Ok, as this has unfortunately been long revealed, we're going to take it in the releases we're doing this week and get it fixed.
Attachment #674618 -
Flags: approval-comm-release+
Attachment #674618 -
Flags: approval-comm-esr10+
Attachment #674618 -
Flags: approval-comm-beta+
Attachment #674618 -
Flags: approval-comm-aurora+
Assignee | ||
Updated•12 years ago
|
tracking-thunderbird-esr10:
--- → 16+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/comm-central/rev/477e78b3b2cb https://hg.mozilla.org/releases/comm-aurora/rev/6726e97a0d3c https://hg.mozilla.org/releases/comm-beta/rev/18f28032dc59 https://hg.mozilla.org/releases/comm-release/rev/234a03980b2b The esr patch doesn't have the https://hg.mozilla.org/releases/comm-esr10/rev/6c5e9520517a
status-thunderbird16:
--- → fixed
status-thunderbird17:
--- → fixed
status-thunderbird18:
--- → fixed
status-thunderbird-esr10:
--- → fixed
Assignee | ||
Updated•12 years ago
|
Target Milestone: --- → Thunderbird 19.0
Assignee | ||
Comment 5•12 years ago
|
||
Also pushed to the relbranch for 10.0.10esr: https://hg.mozilla.org/releases/comm-esr10/rev/dbd298bf5c74 I've also verified the fix on the trunk builds with the str in bug 770478 comment 6.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•