[tbb-commits] [tor-browser/tor-browser-31.5.0esr-4.5-1] Bug 15201: Windows: disable "runas" code path in updater.

mikeperry at torproject.org mikeperry at torproject.org
Sat Mar 21 01:07:50 UTC 2015


commit 4a145590d0e636e3acdd1f00037429771e64e3b8
Author: Kathy Brade <brade at pearlcrescent.com>
Date:   Fri Mar 20 15:40:23 2015 -0400

    Bug 15201: Windows: disable "runas" code path in updater.
    
    Instead of using "runas" to try to elevate privileges, the updater
    now fails if the user does not have permission to apply an update.
    This avoids potential security issues such as CVE-2015-0833.
---
 toolkit/mozapps/update/updater/updater.cpp |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
index ee7e245..3ba92b3 100644
--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -3033,6 +3033,16 @@ int NS_main(int argc, NS_tchar **argv)
       // using the service is because we are testing. 
       if (!useService && !noServiceFallback && 
           updateLockFileHandle == INVALID_HANDLE_VALUE) {
+#ifdef TOR_BROWSER_UPDATE
+        // Because the user profile is contained within the Tor Browser
+        // installation directory, the user almost certainly has permission to
+        // apply updates. Therefore, to avoid potential security issues such
+        // as CVE-2015-0833, do not attempt to elevate privileges. Instead,
+        // write a "failed" message to the update status file (this function
+        // will return immediately after the CloseHandle(elevatedFileHandle)
+        // call below).
+        WriteStatusFile(WRITE_ERROR_ACCESS_DENIED);
+#else
         SHELLEXECUTEINFO sinfo;
         memset(&sinfo, 0, sizeof(SHELLEXECUTEINFO));
         sinfo.cbSize       = sizeof(SHELLEXECUTEINFO);
@@ -3054,6 +3064,7 @@ int NS_main(int argc, NS_tchar **argv)
         } else {
           WriteStatusFile(ELEVATION_CANCELED);
         }
+#endif
       }
 
       if (argc > callbackIndex) {



More information about the tbb-commits mailing list