mirror of https://0xacab.org/leap/bitmask-vpn
[bug] avoid installing in custom paths
A vulnerability in QtIFW produces improper ACLs to be set when installing in custom locations. This can lead to privilege escalation if a non-privileged user overwrites the openvpn binary. Thanks to researchers at Tenable for finding and reporting this! Impact is considered low-medium, since an installation outside of the suggested path is needed to trigger the issue. Privileged execution of openvpn should be abandoned in next release, in favor of the interactive service. A bug upstream should be filed since other projects could be affected by this vulnerability too. -Resolves: #569
This commit is contained in:
parent
7ab7b8cd82
commit
e694a038c7
|
@ -13,6 +13,7 @@ development
|
|||
- Disable autostart on first run
|
||||
- Provider "message of the day"
|
||||
- primitive version check for windows, osx.
|
||||
- #569 avoid installing in custom paths to mitigate security issue in windows
|
||||
|
||||
|
||||
0.21.6
|
||||
|
|
7
Makefile
7
Makefile
|
@ -178,6 +178,7 @@ ifeq (${PLATFORM}, windows)
|
|||
"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string CompanyName "LEAP Encryption Access Project"
|
||||
"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string FileDescription "${APPNAME}"
|
||||
"c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} ${QTBUILD}/release/${TARGET}.exe
|
||||
# XXX need to deprecate helper and embrace interactive service
|
||||
cp build/bin/${PLATFORM}/bitmask-helper build/bin/${PLATFORM}/bitmask-helper.exe
|
||||
"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-file-version ${VERSION}
|
||||
"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-product-version ${VERSION}
|
||||
|
@ -231,7 +232,6 @@ else
|
|||
@cp ${VENDOR_PATH}/assets/icon.ico ${INST_DATA}/icon.ico
|
||||
endif
|
||||
@cp ${QTBUILD}/release/${TARGET}.exe ${INST_DATA}${TARGET}.exe
|
||||
# FIXME get the signed binaries with curl from openvpn downloads page.
|
||||
@cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA}
|
||||
@cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA}
|
||||
ifeq (${RELEASE}, yes)
|
||||
|
@ -243,6 +243,11 @@ else
|
|||
endif
|
||||
# TODO stage it to shave some time
|
||||
@wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe
|
||||
# XXX this is a workaround for missing libs after windeployqt ---
|
||||
@cp /c/Qt/5.15.2/mingw81_64/bin/libgcc_s_seh-1.dll ${INST_DATA}
|
||||
@cp /c/Qt/5.15.2/mingw81_64/bin/libstdc++-6.dll ${INST_DATA}
|
||||
@cp /c/Qt/5.15.2/mingw81_64/bin/libwinpthread-1.dll ${INST_DATA}
|
||||
@cp -r /c/Qt/5.15.2/mingw81_64/qml ${INST_DATA}
|
||||
endif
|
||||
ifeq (${PLATFORM}, linux)
|
||||
@VERSION=${VERSION} ${SCRIPTS}/gen-qtinstaller linux ${INSTALLER}
|
||||
|
|
|
@ -27,7 +27,7 @@ OS_CONFIG = {
|
|||
""",
|
||||
'windows': """
|
||||
<!-- windows -->
|
||||
<TargetDir>@ApplicationsDir@/$APPNAME</TargetDir>
|
||||
<TargetDir>c:/Program Files (x86)/$APPNAME</TargetDir>
|
||||
<StartMenuDir>$APPNAME</StartMenuDir>
|
||||
|
||||
<RunProgram>@TargetDir@/$BINNAME.exe</RunProgram>
|
||||
|
|
|
@ -29,6 +29,7 @@ function Component() {
|
|||
|
||||
console.log("OS: " + systemInfo.productType);
|
||||
console.log("Kernel: " + systemInfo.kernelType + "/" + systemInfo.kernelVersion);
|
||||
installer.setDefaultPageVisible(QInstaller.TargetDirectory, false);
|
||||
|
||||
var validOs = false;
|
||||
|
||||
|
|
Loading…
Reference in New Issue