Closed Bug 811227 Opened 10 years ago Closed 10 years ago

DLL Hijacking - Thunderbird installer - Part 2


(Thunderbird :: Installer, defect)

Windows 7
Not set


(thunderbird17- wontfix, thunderbird18+ fixed, thunderbird19 fixed, thunderbird-esr1018+ fixed, thunderbird-esr1718+ fixed)

Thunderbird 20.0
Tracking Status
thunderbird17 - wontfix
thunderbird18 + fixed
thunderbird19 --- fixed
thunderbird-esr10 18+ fixed
thunderbird-esr17 18+ fixed


(Reporter: standard8, Assigned: standard8)



(Keywords: csectype-priv-escalation, sec-high)


(2 files)

+++ This bug was initially created as a clone of Bug #803515 +++

This bug is for the changes required to the installer to protect against more dll hijacking see bug 792106 comment 93 onwards relating to cryptbase.dll

I'm splitting this out from bug 803515 to allow better tracking, as bug 803515 has already landed the dwmapi.dll parts.

The cryptbase.dll is currently wontfix for gecko 17 as per bug 792106 comment 125
Assignee: nobody → mbanner
Depends on: 811557
Attached patch The fixSplinter Review
Copied the current Firefox version and made the appropriate changes to make it Thunderbird.
Attachment #686080 - Flags: review?(irving)
Comment on attachment 686080 [details] [diff] [review]
The fix

I followed the tests script at, and on Windows 7 64-bit, running my own build of 32-bit debug Thunderbird, none of the libraries the installer required, that were not in the KnownDLLs list, were vulnerable to the DLL hijack.
Attachment #686080 - Flags: review?(irving) → review+
Comment on attachment 686080 [details] [diff] [review]
The fix

This already landed in some places (I forgot to update the bug status):

and I just landed it in:
Attachment #686080 - Flags: approval-comm-esr17+
Attachment #686080 - Flags: approval-comm-beta+
Attachment #686080 - Flags: approval-comm-aurora+
ESR10 is still outstanding, I'll get on that in the next day or so.
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 20.0
Attached patch ESR 10 fixSplinter Review
Here's the ESR10 fix, same as before, I'll need to land before Thursday to get this into the release.
Attachment #696777 - Flags: review?(irving)
Comment on attachment 696777 [details] [diff] [review]
ESR 10 fix

[Triage Comment]
Ok, self-rs own patch as I realised Irving is away until next week and we need to get this landed before the release - this was formed in exactly the same way as the other executable updates that we've done, and can be verified by compilation/test of the builds. The functional changes were taken from the changes landed by Firefox.

I'll get Irving to verify this fully on Monday before the release, but I'm confident that it is fine.
Attachment #696777 - Flags: review?(irving)
Attachment #696777 - Flags: review+
Attachment #696777 - Flags: feedback?(irving)
Attachment #696777 - Flags: approval-comm-esr10+
Comment on attachment 696777 [details] [diff] [review]
ESR 10 fix

ESR 10.0.12 build 2 looks good to me.
Attachment #696777 - Flags: feedback?(irving) → feedback+
No longer depends on: 811557
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.