DLL Hijacking - Thunderbird installer - Part 2

RESOLVED FIXED in Thunderbird 20.0

Status

defect
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: standard8, Assigned: standard8)

Tracking

({csectype-priv-escalation, sec-high})

Dependency tree / graph

Thunderbird Tracking Flags

(thunderbird17- wontfix, thunderbird18+ fixed, thunderbird19 fixed, thunderbird-esr1018+ fixed, thunderbird-esr1718+ fixed)

Details

Attachments

(2 attachments)

Assignee

Description

7 years ago
+++ This bug was initially created as a clone of Bug #803515 +++

This bug is for the changes required to the installer to protect against more dll hijacking see bug 792106 comment 93 onwards relating to cryptbase.dll

I'm splitting this out from bug 803515 to allow better tracking, as bug 803515 has already landed the dwmapi.dll parts.

The cryptbase.dll is currently wontfix for gecko 17 as per bug 792106 comment 125
Assignee

Updated

7 years ago
Assignee: nobody → mbanner
Depends on: 811557
Assignee

Comment 1

7 years ago
Posted patch The fixSplinter Review
Copied the current Firefox version and made the appropriate changes to make it Thunderbird.
Attachment #686080 - Flags: review?(irving)
Comment on attachment 686080 [details] [diff] [review]
The fix

I followed the tests script at https://bugzilla.mozilla.org/show_bug.cgi?id=792106#c112, and on Windows 7 64-bit, running my own build of 32-bit debug Thunderbird, none of the libraries the installer required, that were not in the KnownDLLs list, were vulnerable to the DLL hijack.
Attachment #686080 - Flags: review?(irving) → review+
Assignee

Comment 3

7 years ago
Comment on attachment 686080 [details] [diff] [review]
The fix

This already landed in some places (I forgot to update the bug status):

http://hg.mozilla.org/comm-central/rev/622cabcbac39
http://hg.mozilla.org/releases/comm-aurora/rev/771ba559df5f
http://hg.mozilla.org/releases/comm-beta/rev/5d701b9d9190

and I just landed it in:

https://hg.mozilla.org/releases/comm-esr17/rev/3bea464deb12
Attachment #686080 - Flags: approval-comm-esr17+
Attachment #686080 - Flags: approval-comm-beta+
Attachment #686080 - Flags: approval-comm-aurora+
Assignee

Comment 4

7 years ago
ESR10 is still outstanding, I'll get on that in the next day or so.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 20.0
Assignee

Comment 5

7 years ago
Posted patch ESR 10 fixSplinter Review
Here's the ESR10 fix, same as before, I'll need to land before Thursday to get this into the release.
Attachment #696777 - Flags: review?(irving)
Assignee

Comment 6

7 years ago
Comment on attachment 696777 [details] [diff] [review]
ESR 10 fix

[Triage Comment]
Ok, self-rs own patch as I realised Irving is away until next week and we need to get this landed before the release - this was formed in exactly the same way as the other executable updates that we've done, and can be verified by compilation/test of the builds. The functional changes were taken from the changes landed by Firefox.

I'll get Irving to verify this fully on Monday before the release, but I'm confident that it is fine.
Attachment #696777 - Flags: review?(irving)
Attachment #696777 - Flags: review+
Attachment #696777 - Flags: feedback?(irving)
Attachment #696777 - Flags: approval-comm-esr10+
Comment on attachment 696777 [details] [diff] [review]
ESR 10 fix

ESR 10.0.12 build 2 looks good to me.
Attachment #696777 - Flags: feedback?(irving) → feedback+

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.