From e694a038c7edc146b63557425b307833b11aea57 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 15 Dec 2021 19:45:11 +0100 Subject: [bug] avoid installing in custom paths A vulnerability in QtIFW produces improper ACLs to be set when installing in custom locations. This can lead to privilege escalation if a non-privileged user overwrites the openvpn binary. Thanks to researchers at Tenable for finding and reporting this! Impact is considered low-medium, since an installation outside of the suggested path is needed to trigger the issue. Privileged execution of openvpn should be abandoned in next release, in favor of the interactive service. A bug upstream should be filed since other projects could be affected by this vulnerability too. -Resolves: #569 --- CHANGELOG | 1 + Makefile | 7 ++++++- branding/scripts/gen-qtinstaller | 2 +- branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b50ddb2..982151f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -13,6 +13,7 @@ development - Disable autostart on first run - Provider "message of the day" - primitive version check for windows, osx. +- #569 avoid installing in custom paths to mitigate security issue in windows 0.21.6 diff --git a/Makefile b/Makefile index d0d4040..e7096cc 100644 --- a/Makefile +++ b/Makefile @@ -178,6 +178,7 @@ ifeq (${PLATFORM}, windows) "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string CompanyName "LEAP Encryption Access Project" "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string FileDescription "${APPNAME}" "c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} ${QTBUILD}/release/${TARGET}.exe + # XXX need to deprecate helper and embrace interactive service cp build/bin/${PLATFORM}/bitmask-helper build/bin/${PLATFORM}/bitmask-helper.exe "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-file-version ${VERSION} "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-product-version ${VERSION} @@ -231,7 +232,6 @@ else @cp ${VENDOR_PATH}/assets/icon.ico ${INST_DATA}/icon.ico endif @cp ${QTBUILD}/release/${TARGET}.exe ${INST_DATA}${TARGET}.exe - # FIXME get the signed binaries with curl from openvpn downloads page. @cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA} @cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA} ifeq (${RELEASE}, yes) @@ -243,6 +243,11 @@ else endif # TODO stage it to shave some time @wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe + # XXX this is a workaround for missing libs after windeployqt --- + @cp /c/Qt/5.15.2/mingw81_64/bin/libgcc_s_seh-1.dll ${INST_DATA} + @cp /c/Qt/5.15.2/mingw81_64/bin/libstdc++-6.dll ${INST_DATA} + @cp /c/Qt/5.15.2/mingw81_64/bin/libwinpthread-1.dll ${INST_DATA} + @cp -r /c/Qt/5.15.2/mingw81_64/qml ${INST_DATA} endif ifeq (${PLATFORM}, linux) @VERSION=${VERSION} ${SCRIPTS}/gen-qtinstaller linux ${INSTALLER} diff --git a/branding/scripts/gen-qtinstaller b/branding/scripts/gen-qtinstaller index 5b4d103..eb11d3b 100755 --- a/branding/scripts/gen-qtinstaller +++ b/branding/scripts/gen-qtinstaller @@ -27,7 +27,7 @@ OS_CONFIG = { """, 'windows': """ - @ApplicationsDir@/$APPNAME + c:/Program Files (x86)/$APPNAME $APPNAME @TargetDir@/$BINNAME.exe diff --git a/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js b/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js index b97d0a7..aa3da1f 100644 --- a/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js +++ b/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js @@ -29,6 +29,7 @@ function Component() { console.log("OS: " + systemInfo.productType); console.log("Kernel: " + systemInfo.kernelType + "/" + systemInfo.kernelVersion); + installer.setDefaultPageVisible(QInstaller.TargetDirectory, false); var validOs = false; -- cgit v1.2.3