Thunderbird Installer can run untrusted program

RESOLVED FIXED in Thunderbird 19.0

Status

defect
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: standard8, Assigned: standard8)

Tracking

({sec-moderate})

Trunk
Thunderbird 19.0
x86
Windows 7

Thunderbird Tracking Flags

(thunderbird16+ fixed, thunderbird17+ fixed, thunderbird18+ fixed, thunderbird-esr1016+ fixed)

Details

Attachments

(1 attachment)

Assignee

Description

7 years ago
See Bug 770478, the installer should quote the string around the path to actually launch Thunderbird and not something else.
Assignee

Comment 1

7 years ago
Posted patch The fixSplinter Review
Rob, could you just check this for correctness? I think the shared.nsh changes are right but we just haven't ported bug 716045 yet.
Attachment #674618 - Flags: review?(robert.bugzilla)
Assignee

Updated

7 years ago
Assignee: nobody → mbanner
Comment on attachment 674618 [details] [diff] [review]
The fix

Looks good
Attachment #674618 - Flags: review?(robert.bugzilla) → review+
Assignee

Comment 3

7 years ago
Comment on attachment 674618 [details] [diff] [review]
The fix

[Triage Comment]
Ok, as this has unfortunately been long revealed, we're going to take it in the releases we're doing this week and get it fixed.
Attachment #674618 - Flags: approval-comm-release+
Attachment #674618 - Flags: approval-comm-esr10+
Attachment #674618 - Flags: approval-comm-beta+
Attachment #674618 - Flags: approval-comm-aurora+
Assignee

Updated

7 years ago
Target Milestone: --- → Thunderbird 19.0
Assignee

Comment 5

7 years ago
Also pushed to the relbranch for 10.0.10esr:

https://hg.mozilla.org/releases/comm-esr10/rev/dbd298bf5c74

I've also verified the fix on the trunk builds with the str in bug 770478 comment 6.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.