871084 - Vulnerability (unquoted path containing spaces) in "UninstallString" may run rogue program

Status: RESOLVED FIXED

(Thunderbird :: Installer, defect)

Description

[Stefan Kanthak]

User Agent: Opera/9.80 (Windows NT 5.0; U; de) Presto/2.10.289 Version/12.02

Steps to reproduce:

Install Thunderbird


Actual results:

command line with vulnerable unquoted path containing spaces written to "UninstallString":

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 17.0.5 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe"



Expected results:

Properly quoted command line written to "UninstallString":

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 17.0.5 (x86 en-US)]
"UninstallString"="\"C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe\""

Comment 1

[Stefan Kanthak]

See <https://bugzilla.mozilla.org/show_bug.cgi?id=786407>
and <https://bugzilla.mozilla.org/show_bug.cgi?id=868746>

Comment 2

[Robert Strong (they/them - no direct email)]

Reference: bug 868746

Also, it should be easy enough for someone on the Thunderbird team to fix this bug.

Comment 3

[Stefan Kanthak]

Another month passed, and this "easy enough to fix" BEGINNERS ERROR is still present in 17.0.8!

JFTR: <http://msdn.microsoft.com/library/ms997548.aspx>

| The path you supply to Uninstall-String must be the complete
| command line used to carry out your uninstall program.

Comment 4

[Wayne Mery (:wsmwk)]

(In reply to Stefan Kanthak from comment #3)
> Another month passed, and this "easy enough to fix" BEGINNERS ERROR is still
> present in 17.0.8!

just because it can be fixed doesn't mean it deserves to be fixed ASAP. It apparently has no serious exposure, etc. so please don't spam the bug.

Trivial severity based on rs' assessement in bug 868746.

Comment 5

[Thomas D. (:thomas8)]

(In reply to Wayne Mery (:wsmwk) from comment #4)

Trivial severity based on rs' assessement in bug 868746.

Looking at the discussion, I'm not sure if that assessment was entirely correct.
Anyway, Firefox has fixed this, so should we. 2 lines of code to add the quotes:

https://bugzilla.mozilla.org/page.cgi?id=splinter.html&ignore=&bug=868746&attachment=747062

Lilian?

Comment 6

[Liscare]

Attachment: Bug 871084 - Installer should quote the 'uninstallstring' registry value in case a non OS builtin app uses the value. r=thomasD,mkmelin

Comment 7

[Liscare]

After all, 1 line of code to add the quotes.
Lines 422 and 562 already have the quotes.

Comment 8

[Pulsebot]

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/ed2e9b0dbf70
Installer should quote the 'uninstallstring' registry value in case a non OS builtin app uses the value. r=thomasD,mkmelin

Comment 9

[Magnus Melin [:mkmelin]]

Comment on attachment 9191176 [details]
Bug 871084 - Installer should quote the 'uninstallstring' registry value in case a non OS builtin app uses the value. r=thomasD,mkmelin

[Approval Request Comment]
Minor sec issue.

Comment 10

[Wayne Mery (:wsmwk)]

Comment on attachment 9191176 [details]
Bug 871084 - Installer should quote the 'uninstallstring' registry value in case a non OS builtin app uses the value. r=thomasD,mkmelin

[Triage Comment]
Approved for esr78

Comment 11

[Rob Lemley [:rjl]]

Thunderbird 78.6.1:
https://hg.mozilla.org/releases/comm-esr78/rev/7890076d0aac