This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory


On 01/06/2016 07:17 AM, Stefan Kanthak wrote:
> Second and last chance!
> See <http://home.arcor.de/skanthak/policy.html>

Your policy page mentions a 45-day window, but:

> 
> ----- Original Message ----- 
> From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
> To: <security@cygwin.org>
> Cc: <security@redhat.com>
> Sent: Monday, December 28, 2015 4:23 AM

If this was your original off-list post, you just violated your own
policy, since you included cygwin AT cygwin.com which is a public list
on the ping, and thereby made the issue public, without waiting 45 days.


>> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
>>   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
>>   it as UXTheme.dll in your "Downloads" directory;
>>
>> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;

You do realize that Windows XP is unsupported by Microsoft; if your
exploit requires an unsupported OS, does it really deserve a fix?

>>
>> I'll publish in 45 days.
>> See <http://home.arcor.de/skanthak/policy.html> and return the
>> CVE identifier assigned for this vulnerability to me!

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]