From e694a038c7edc146b63557425b307833b11aea57 Mon Sep 17 00:00:00 2001
From: kali <kali@win>
Date: Wed, 15 Dec 2021 19:45:11 +0100
Subject: [bug] avoid installing in custom paths

A vulnerability in QtIFW produces improper ACLs to be set when
installing in custom locations. This can lead to privilege escalation if
a non-privileged user overwrites the openvpn binary. Thanks to
researchers at Tenable for finding and reporting this!

Impact is considered low-medium, since an installation outside of the
suggested path is needed to trigger the issue.

Privileged execution of openvpn should be abandoned in next release, in
favor of the interactive service.

A bug upstream should be filed since other projects could be affected by
this vulnerability too.

-Resolves: #569
---
 branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js | 1 +
 1 file changed, 1 insertion(+)

(limited to 'branding/templates/qtinstaller/packages')

diff --git a/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js b/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js
index b97d0a7..aa3da1f 100644
--- a/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js
+++ b/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js
@@ -29,6 +29,7 @@ function Component() {
 
     console.log("OS: " + systemInfo.productType);
     console.log("Kernel: " + systemInfo.kernelType + "/" + systemInfo.kernelVersion);
+    installer.setDefaultPageVisible(QInstaller.TargetDirectory, false);
 
     var validOs = false;
 
-- 
cgit v1.2.3