From 11768733d321df55b0efcb70b278c71b8e216cf7 Mon Sep 17 00:00:00 2001 From: Justin Clift Date: Fri, 15 Jul 2016 14:18:37 +0100 Subject: NSIS: Quote uninstaller path when executing it in a shell Protect our `$0` reference in the shell as `"$0"`. Otherwise it works with a space in the path only due to an insecure Windows feature. Prior to this fix, any installer using the option added by commit v2.8.9~234^2 (Added CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL, 2011-06-11) exposes a local privilege escalation vulnerability. Reported-by: Amir Szekely Reported-by: Ug_0 Security --- Help/release/3.6.rst | 6 ++++++ Modules/NSIS.template.in | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Help/release/3.6.rst b/Help/release/3.6.rst index 771c9dd..144537d 100644 --- a/Help/release/3.6.rst +++ b/Help/release/3.6.rst @@ -308,3 +308,9 @@ Other Changes preferred future use is upper cased component names in variables. New variables that will be added to CPackRPM in later versions will only support upper cased component variable format. + +* The CPack NSIS generator's configuration file template was fixed to + quote the path to the uninstaller tool used by the + :variable:`CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL` option. + This avoids depending on an insecure Windows feature to run an + uninstaller tool with a space in the path. diff --git a/Modules/NSIS.template.in b/Modules/NSIS.template.in index 1ef3d28..92a3142 100644 --- a/Modules/NSIS.template.in +++ b/Modules/NSIS.template.in @@ -920,7 +920,7 @@ uninst: ClearErrors StrLen $2 "\Uninstall.exe" StrCpy $3 $0 -$2 # remove "\Uninstall.exe" from UninstallString to get path - ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file + ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file IfErrors uninst_failed inst uninst_failed: -- cgit v0.12