Merged
Conversation
GHSA-q7c2-pgqm-vvw5 An exploit was possible which allowed a user to elevate from user to system privileges. This is via installing a malicious add-on to the secure screen. This allowed the user to execute arbitrary code with system permissions. None When NVDA is running in secure mode, such as on a secure screen, the following remote procedure calls are now blocked: - installing an add-on to a secure desktop - opening the config directory on the secure desktop (this does not appear to do anything on the secure desktop) with a self-signed build: - Test STR in GHSA-q7c2-pgqm-vvw5 - Smoke test the sign-in process
GHSA-grvr-j2h8-3qm4 Speech viewer remains open when Windows is locked. Speech viewer may contain a cache of secure information from the previous user session. That cache remains accessible when Windows is locked. This may lead to the exposure of private information. An unauthenticated user on the lock screen is able to update the Braille and Speech Viewer allow an authenticated users settings from the lock screen. These settings do not have security implications, however they should not be able to be updated by unauthenticated users. Speech Viewer is cleared when locking Windows. The Braille and Speech Viewer settings for "opening the viewer on start up" are disabled when Windows is locked. The Braille Viewer setting "hover for cell routing" does not change the user's configuration when Windows is locked. Created an `extensionPoint` for Windows session state changes. Added hook to clear speech viewer when Windows is locked. Added hooks and checks to disable/enable relevant settings when Windows is locked/unlocked.
feerrenrut
approved these changes
Oct 17, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Must be merge commit not squash merge