NSIS: Quote uninstaller path when executing it in a shell
Protect our `$0` reference in the shell as `"$0"`. Otherwise it works with a space in the path only due to an insecure Windows feature. Prior to this fix, any installer using the option added by commit v2.8.9~234^2 (Added CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL, 2011-06-11) exposes a local privilege escalation vulnerability. Reported-by: Amir Szekely <kichik@gmail.com> Reported-by: Ug_0 Security
This commit is contained in:
Justin Clift
Brad King
parent
e31084e657
commit
11768733d3
|
|
@ -308,3 +308,9 @@ Other Changes
|
||||||
preferred future use is upper cased component names in variables.
|
preferred future use is upper cased component names in variables.
|
||||||
New variables that will be added to CPackRPM in later versions
|
New variables that will be added to CPackRPM in later versions
|
||||||
will only support upper cased component variable format.
|
will only support upper cased component variable format.
|
||||||
|
|
||||||
|
* The CPack NSIS generator's configuration file template was fixed to
|
||||||
|
quote the path to the uninstaller tool used by the
|
||||||
|
:variable:`CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL` option.
|
||||||
|
This avoids depending on an insecure Windows feature to run an
|
||||||
|
uninstaller tool with a space in the path.
|
||||||
|
|
|
||||||
|
|
@ -920,7 +920,7 @@ uninst:
|
||||||
ClearErrors
|
ClearErrors
|
||||||
StrLen $2 "\Uninstall.exe"
|
StrLen $2 "\Uninstall.exe"
|
||||||
StrCpy $3 $0 -$2 # remove "\Uninstall.exe" from UninstallString to get path
|
StrCpy $3 $0 -$2 # remove "\Uninstall.exe" from UninstallString to get path
|
||||||
ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file
|
ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file
|
||||||
|
|
||||||
IfErrors uninst_failed inst
|
IfErrors uninst_failed inst
|
||||||
uninst_failed:
|
uninst_failed:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue