Switch to NSIS 3.03 to avoid DLL hijacking #13643

pull h4x3rotab wants to merge 2 commits into bitcoin:master from h4x3rotab:nsis-fix changing 3 files +309 −190
  1. h4x3rotab commented at 2:06 pm on July 12, 2018: none

    Early version of NSIS searches its DLL from the same directory of the executable. If a hacker can place some DLL files in the same directory of the bitcoin installer, the installer will load and run it with admin permission.

    Gitian is still in trusty. It shipped with NSIS 2.46, which is vulnerable to this issue. So in this fix, we instead build the latest NSIS by Gitian.

    Thanks to @wilsonmeier from Bitcoin Gold team for the fix. Borrowed some code from TOR project.

    Details: https://trac.torproject.org/projects/tor/ticket/17895

  2. fanquake added the label Windows on Jul 12, 2018
  3. fanquake added the label Build system on Jul 12, 2018
  4. fanquake requested review from theuni on Jul 12, 2018
  5. laanwj commented at 2:09 pm on July 12, 2018: member
    Thanks, The idea was to switch to Ubuntu 18.04 for building to avoid having to do this, as that ships with a newer NSIS package, but if that turns out not to be feasible before the next release this will be helpful!
  6. Switch to NSIS 3.03 to avoid DLL hijacking 
    Early version of NSIS searches its DLL from the same directory of
the executable. If a hacker can place some DLL files in the same
directory of the bitcoin installer, the installer will load and
run it with admin permission.

Gitian is still in trusty. It shipped with NSIS 2.46, which is
vulnerable to this issue. So in this fix, we instead build the
latest NSIS by Gitian.

Thanks to @wilson from Bitcoin Gold team for the fix. Borrowed some
code from TOR project.

Details: https://trac.torproject.org/projects/tor/ticket/17895
    921c372d62
  7. h4x3rotab force-pushed on Jul 12, 2018
  8. MarcoFalke commented at 2:11 pm on July 12, 2018: member

    if that turns out not to be feasible before the next release this will be helpful!

    Currently our Windows gitian cross builds are broken, so we’d have to switch to bionic. (Or revert the qt depends bump)

  9. DrahtBot commented at 2:12 pm on July 12, 2018: member
    • #13623 (Migrate gitian-build.sh to python by ken2812221)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  10. Fix whitespace 59c243fbf0
  11. h4x3rotab force-pushed on Jul 12, 2018
  12. ken2812221 commented at 2:36 pm on July 12, 2018: contributor
    This has been fixed in nsis 2.50, and nsis in ubuntu bionic is version 2.51.
  13. h4x3rotab commented at 2:39 pm on July 12, 2018: none

    This has been fixed in nsis 2.50, and nsis in ubuntu bionic is version 2.51.

    Yeah, bionic could be even better.

  14. theuni commented at 6:59 pm on July 12, 2018: member
    Holding out on reviewing this until after #13171 is merged or closed.
  15. ghost commented at 1:08 pm on July 14, 2018: none
    Bitcoin Gold developer contributing for Bitcoin Core, nice 👍
  16. MarcoFalke commented at 11:00 am on July 16, 2018: member
    Closing per #13643 (comment)
  17. MarcoFalke closed this on Jul 16, 2018
  18. DrahtBot locked this on Sep 8, 2021


h4x3rotab laanwj MarcoFalke DrahtBot ken2812221 theuni ghost


theuni

Labels
Windows Build system

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-17 18:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me