Call SetDllDirectory(L"") as a precaution in updater

RESOLVED FIXED in Firefox 22

Status

()

RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: bbondy, Assigned: bbondy)

Tracking

({sec-moderate})

18 Branch
mozilla22
x86_64
Windows 7
sec-moderate
Points:
---

Firefox Tracking Flags

(firefox20 affected, firefox21- affected, firefox22 fixed, firefox-esr17- wontfix, b2g18 unaffected)

Details

(Whiteboard: [adv-main22-])

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
There are no known security attaccks, but it's a good idea to call SetDllDirectory("") as a precaution. This call will remove the current directory for dynamically loaded DLLs if we ever introduce the use of some.
(Assignee)

Comment 1

6 years ago
Created attachment 716728 [details] [diff] [review]
Patch v1.

I decided to put it here because that way we don't need extra ugly ifdef's inside updater.cpp. This file is already windows only and it is called before main() is even entered.
Attachment #716728 - Flags: review?(robert.bugzilla)
(Assignee)

Updated

6 years ago
No longer depends on: 830134
Keywords: sec-moderate
Attachment #716728 - Flags: review?(robert.bugzilla) → review+
(Assignee)

Comment 2

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/3e5f2cfbf3b4
Target Milestone: --- → mozilla22
https://hg.mozilla.org/mozilla-central/rev/3e5f2cfbf3b4
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox22: --- → fixed
Resolution: --- → FIXED
Do we need this on ESR-17?
status-firefox20: --- → affected
status-firefox21: --- → affected
status-firefox-esr17: --- → affected
tracking-firefox21: --- → ?
tracking-firefox-esr17: --- → ?
(Assignee)

Comment 5

6 years ago
I don't think we need it uplifted anywhere since there is no specific known attack we're protecting against.

Comment 6

6 years ago
(In reply to Brian R. Bondy [:bbondy] from comment #5)
> I don't think we need it uplifted anywhere since there is no specific known
> attack we're protecting against.

Sounds reasonable, especially since this is sec-moderate.
tracking-firefox21: ? → -
tracking-firefox-esr17: ? → ---

Updated

6 years ago
tracking-firefox-esr17: --- → -

Updated

6 years ago
status-firefox-esr17: affected → wontfix
status-b2g18: --- → unaffected
Whiteboard: [adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.