Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Launcher: Update to latest build of NSIS to address potential Security Issues #9134

Closed
elliott94 opened this issue Jan 7, 2019 · 4 comments
Assignees
Labels
component/installer p4 https://github.com/nvaccess/nvda/blob/master/projectDocs/issues/triage.md#priority security

Comments

@elliott94
Copy link

NVDA is currently built with NSIS 2.51; however, in the latest builds of the installer several security issues have been address that could result in potential DLL hijacking (see https://nsis.sourceforge.io/Docs/AppendixF.html and search for "security" for more info). To prevent this, could we update to the latest NSIS build?

@LeonarddeR
Copy link
Collaborator

Note that the launcher is only used to start NVDA from it, it doesn't perform the installation itself.

Having said that, I've thought about updating NSIS as well, but it doesn't have that much priority. Giving it p3 for now.

@LeonarddeR LeonarddeR added component/installer security p4 https://github.com/nvaccess/nvda/blob/master/projectDocs/issues/triage.md#priority labels Jan 9, 2019
@dpy013
Copy link
Contributor

dpy013 commented Jan 21, 2020

hello
NSIS 3.05 release
thanks

@dpy013
Copy link
Contributor

dpy013 commented Mar 9, 2020

hello
This is the pull_request of NSIS to version 3.05, mainly to upgrade nsis from 2.51 to 3.05.
Upgrade NSIS to version 3.05 to address potential security issues.
thanks

@seanbudd seanbudd self-assigned this Feb 23, 2022
@seanbudd seanbudd mentioned this issue Feb 28, 2022
9 tasks
seanbudd added a commit that referenced this issue Mar 14, 2022
Fixes #13270, #9134

May fix #13329, #13222

NSIS 2.51 has been removed from miscDeps in Remove old version of NSIS to be moved to separate submodule nvda-misc-deps#24
NSIS 3.08 has been added to a new submodule in Add NSIS 3.08 distribution NSIS-build#2
Steps for updating NSIS have been added in Add process for updating NSIS NSIS-build#1
Summary of the issue:
NSIS is outdated (version 2.51 is from 2016).
A variety of issues have been coming up with the installer:

If special characters are in the path, the NSIS fails to run the installer
Installer is failing to start on certain builds of Windows (Windows 7 SP1, Windows 11 ARM, Windows 10 21H2)
Description of how this pull request fixes the issue:
NSIS has been moved to its own submodule (currently private while reviewing the repository settings).
this includes adding steps for updating in the future
NSIS has been updated to 3.08.
The UAC plugin has been removed, as it is now redundant.
NSIS elevates the uninstaller automatically now, rather than needing the UAC plugin. This has been confirmed with testing.
Minor build warnings have been fixed.
Testing strategy:
Follow the testing strategy in the NSIS submodule readme

Commit history:

* use latest nsis

* remove redundant plugin code

* Update NSIS link

* Fix build warnings for the installer and uninstaller

Fixes the following build warnings

For the installer:
    warning: !warning: MUI_LANGUAGE[EX] should be inserted after the MUI_[UN]PAGE_* macros (macro:MUI_LANGUAGEEX:6)

For the uninstaller:
    9100: Generating version information for language "1033-English" without standard key "FileVersion"

* add zh-hk information

* Update submodule commits

* update changes
@seanbudd
Copy link
Member

Closed via #13398

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/installer p4 https://github.com/nvaccess/nvda/blob/master/projectDocs/issues/triage.md#priority security
Projects
None yet
Development

No branches or pull requests

4 participants