|
 |
dae2b79 |
From f45ee21bebeda4fc1fdd2c359a8a5bfeb1fd4459 Mon Sep 17 00:00:00 2001
|
|
|
dae2b79 |
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
|
|
dae2b79 |
Date: Fri, 3 Mar 2023 21:20:07 +0200
|
|
|
dae2b79 |
Subject: [PATCH] qga/win32: Remove change action from MSI installer
|
|
|
dae2b79 |
|
|
|
dae2b79 |
Remove the 'change' button from "Programs and Features" because it does
|
|
|
dae2b79 |
not checks if a user is an admin or not. The installer has no components
|
|
|
dae2b79 |
to choose from and always installs everything. So the 'change' button is
|
|
|
dae2b79 |
not obviously needed but can create a security issue.
|
|
|
dae2b79 |
|
|
|
dae2b79 |
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
|
|
dae2b79 |
fixes: CVE-2023-0664 (part 1 of 2)
|
|
|
dae2b79 |
|
|
|
dae2b79 |
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
|
|
dae2b79 |
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
|
|
dae2b79 |
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
|
|
dae2b79 |
---
|
|
|
dae2b79 |
qga/installer/qemu-ga.wxs | 1 +
|
|
|
dae2b79 |
1 file changed, 1 insertion(+)
|
|
|
dae2b79 |
|
|
|
dae2b79 |
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
|
|
dae2b79 |
index 0950e8c6be..b62e709a4c 100644
|
|
|
dae2b79 |
--- a/qga/installer/qemu-ga.wxs
|
|
|
dae2b79 |
+++ b/qga/installer/qemu-ga.wxs
|
|
|
dae2b79 |
@@ -58,6 +58,7 @@
|
|
|
dae2b79 |
/>
|
|
|
dae2b79 |
<Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
|
|
|
dae2b79 |
<Property Id="WHSLogo">1</Property>
|
|
|
dae2b79 |
+ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
|
|
|
dae2b79 |
|
|
|
dae2b79 |
DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
|
|
|
dae2b79 |
/>
|
|
|
dae2b79 |
|
|
|
dae2b79 |
From 020caf0b49dbfef8bc9ec7f02c93c3d5097bb932 Mon Sep 17 00:00:00 2001
|
|
|
dae2b79 |
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
|
|
dae2b79 |
Date: Fri, 3 Mar 2023 21:20:08 +0200
|
|
|
dae2b79 |
Subject: [PATCH] qga/win32: Use rundll for VSS installation
|
|
|
dae2b79 |
|
|
|
dae2b79 |
The custom action uses cmd.exe to run VSS Service installation
|
|
|
dae2b79 |
and removal which causes an interactive command shell to spawn.
|
|
|
dae2b79 |
This shell can be used to execute any commands as a SYSTEM user.
|
|
|
dae2b79 |
Even if call qemu-ga.exe directly the interactive command shell
|
|
|
dae2b79 |
will be spawned as qemu-ga.exe is a console application and used
|
|
|
dae2b79 |
by users from the console as well as a service.
|
|
|
dae2b79 |
|
|
|
dae2b79 |
As VSS Service runs from DLL which contains the installer and
|
|
|
dae2b79 |
uninstaller code, it can be run directly by rundll32.exe without
|
|
|
dae2b79 |
any interactive command shell.
|
|
|
dae2b79 |
|
|
|
dae2b79 |
Add specific entry points for rundll which is just a wrapper
|
|
|
dae2b79 |
for COMRegister/COMUnregister functions with proper arguments.
|
|
|
dae2b79 |
|
|
|
dae2b79 |
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
|
|
dae2b79 |
fixes: CVE-2023-0664 (part 2 of 2)
|
|
|
dae2b79 |
|
|
|
dae2b79 |
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
|
|
dae2b79 |
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
|
|
dae2b79 |
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
|
|
dae2b79 |
---
|
|
|
dae2b79 |
qga/installer/qemu-ga.wxs | 10 +++++-----
|
|
|
dae2b79 |
qga/vss-win32/install.cpp | 9 +++++++++
|
|
|
dae2b79 |
qga/vss-win32/qga-vss.def | 2 ++
|
|
|
dae2b79 |
3 files changed, 16 insertions(+), 5 deletions(-)
|
|
|
dae2b79 |
|
|
|
dae2b79 |
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
|
|
dae2b79 |
index b62e709a4c..11b66a22e6 100644
|
|
|
dae2b79 |
--- a/qga/installer/qemu-ga.wxs
|
|
|
dae2b79 |
+++ b/qga/installer/qemu-ga.wxs
|
|
|
dae2b79 |
@@ -143,22 +143,22 @@
|
|
|
dae2b79 |
</Directory>
|
|
|
dae2b79 |
</Directory>
|
|
|
dae2b79 |
|
|
|
dae2b79 |
- <Property Id="cmd" Value="cmd.exe"/>
|
|
|
dae2b79 |
+ <Property Id="rundll" Value="rundll32.exe"/>
|
|
|
dae2b79 |
<Property Id="REINSTALLMODE" Value="amus"/>
|
|
|
dae2b79 |
|
|
|
dae2b79 |
|
|
|
dae2b79 |
|
|
|
dae2b79 |
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
|
|
|
dae2b79 |
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
|
|
|
dae2b79 |
Execute="deferred"
|
|
|
dae2b79 |
- Property="cmd"
|
|
|
dae2b79 |
+ Property="rundll"
|
|
|
dae2b79 |
Impersonate="no"
|
|
|
dae2b79 |
Return="check"
|
|
|
dae2b79 |
>
|
|
|
dae2b79 |
</CustomAction>
|
|
|
dae2b79 |
|
|
|
dae2b79 |
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
|
|
|
dae2b79 |
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
|
|
|
dae2b79 |
Execute="deferred"
|
|
|
dae2b79 |
- Property="cmd"
|
|
|
dae2b79 |
+ Property="rundll"
|
|
|
dae2b79 |
Impersonate="no"
|
|
|
dae2b79 |
Return="check"
|
|
|
dae2b79 |
>
|
|
|
dae2b79 |
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
|
|
|
dae2b79 |
index b57508fbe0..68662a6dfc 100644
|
|
|
dae2b79 |
--- a/qga/vss-win32/install.cpp
|
|
|
dae2b79 |
+++ b/qga/vss-win32/install.cpp
|
|
|
dae2b79 |
@@ -357,6 +357,15 @@ out:
|
|
|
dae2b79 |
return hr;
|
|
|
dae2b79 |
}
|
|
|
dae2b79 |
|
|
|
dae2b79 |
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
|
|
|
dae2b79 |
+{
|
|
|
dae2b79 |
+ COMRegister();
|
|
|
dae2b79 |
+}
|
|
|
dae2b79 |
+
|
|
|
dae2b79 |
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
|
|
|
dae2b79 |
+{
|
|
|
dae2b79 |
+ COMUnregister();
|
|
|
dae2b79 |
+}
|
|
|
dae2b79 |
|
|
|
dae2b79 |
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
|
|
|
dae2b79 |
{
|
|
|
dae2b79 |
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
|
|
|
dae2b79 |
index 927782c31b..ee97a81427 100644
|
|
|
dae2b79 |
--- a/qga/vss-win32/qga-vss.def
|
|
|
dae2b79 |
+++ b/qga/vss-win32/qga-vss.def
|
|
|
dae2b79 |
@@ -1,6 +1,8 @@
|
|
|
dae2b79 |
LIBRARY "QGA-PROVIDER.DLL"
|
|
|
dae2b79 |
|
|
|
dae2b79 |
EXPORTS
|
|
|
dae2b79 |
+ DLLCOMRegister
|
|
|
dae2b79 |
+ DLLCOMUnregister
|
|
|
dae2b79 |
COMRegister PRIVATE
|
|
|
dae2b79 |
COMUnregister PRIVATE
|
|
|
dae2b79 |
DllCanUnloadNow PRIVATE
|