Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Switch to NSIS 3.03 to avoid DLL hijacking #13643
Early version of NSIS searches its DLL from the same directory of the executable. If a hacker can place some DLL files in the same directory of the bitcoin installer, the installer will load and run it with admin permission.
Gitian is still in trusty. It shipped with NSIS 2.46, which is vulnerable to this issue. So in this fix, we instead build the latest NSIS by Gitian.
Thanks to @wilsonmeier from Bitcoin Gold team for the fix. Borrowed some code from TOR project.
Note to reviewers: This pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.