diff options
| author | kali <kali@win> | 2021-12-15 19:45:11 +0100 |
|---|---|---|
| committer | kali kaneko (leap communications) <kali@leap.se> | 2021-12-15 20:02:12 +0100 |
| commit | e694a038c7edc146b63557425b307833b11aea57 (patch) | |
| tree | 4cef985ee8e19c040c5eedc0daf4a302a2e49bfa /Makefile | |
| parent | 7ab7b8cd822dc0e4548f9cf6795567f2eeef44e1 (diff) | |
[bug] avoid installing in custom paths
A vulnerability in QtIFW produces improper ACLs to be set when
installing in custom locations. This can lead to privilege escalation if
a non-privileged user overwrites the openvpn binary. Thanks to
researchers at Tenable for finding and reporting this!
Impact is considered low-medium, since an installation outside of the
suggested path is needed to trigger the issue.
Privileged execution of openvpn should be abandoned in next release, in
favor of the interactive service.
A bug upstream should be filed since other projects could be affected by
this vulnerability too.
-Resolves: #569
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -178,6 +178,7 @@ ifeq (${PLATFORM}, windows) "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string CompanyName "LEAP Encryption Access Project" "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string FileDescription "${APPNAME}" "c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} ${QTBUILD}/release/${TARGET}.exe + # XXX need to deprecate helper and embrace interactive service cp build/bin/${PLATFORM}/bitmask-helper build/bin/${PLATFORM}/bitmask-helper.exe "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-file-version ${VERSION} "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-product-version ${VERSION} @@ -231,7 +232,6 @@ else @cp ${VENDOR_PATH}/assets/icon.ico ${INST_DATA}/icon.ico endif @cp ${QTBUILD}/release/${TARGET}.exe ${INST_DATA}${TARGET}.exe - # FIXME get the signed binaries with curl from openvpn downloads page. @cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA} @cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA} ifeq (${RELEASE}, yes) @@ -243,6 +243,11 @@ else endif # TODO stage it to shave some time @wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe + # XXX this is a workaround for missing libs after windeployqt --- + @cp /c/Qt/5.15.2/mingw81_64/bin/libgcc_s_seh-1.dll ${INST_DATA} + @cp /c/Qt/5.15.2/mingw81_64/bin/libstdc++-6.dll ${INST_DATA} + @cp /c/Qt/5.15.2/mingw81_64/bin/libwinpthread-1.dll ${INST_DATA} + @cp -r /c/Qt/5.15.2/mingw81_64/qml ${INST_DATA} endif ifeq (${PLATFORM}, linux) @VERSION=${VERSION} ${SCRIPTS}/gen-qtinstaller linux ${INSTALLER} |