Mail Archives: cygwin/2016/01/07/12:40:13

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2016/01/07/12:40:13

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:subject:to:references:from:message-id:date

:mime-version:in-reply-to:content-type; q=dns; s=default; b=ZF9/

t1lX/JnxlcjaEMtHhvkBrDJZueeOvaalIAJLpKyMHAz+keUpctBxho7DT7+DY+SA

ccHxMClKE0ZjR+f+BFacuMvf+ARBtOTgWsrG98Q2+N49N5eHMQjZ9jTx0zay26tP

To4jhtb8xU69HPNgjlxa9Ut/P8NKzPsvV/XG4yM=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:subject:to:references:from:message-id:date

:mime-version:in-reply-to:content-type; s=default; bh=lm0DDDI/8Q

BNzuQ+3tDmCdmvUr4=; b=mTfXt+PGjeYsP6/V2s3GvwwzUE1VvrUv/PX68i0N9p

dLKYjMaLO7DuokrOuNn9qo5XA6RNoX5wZwM1sKvtiFCcKQmbnfPu6HUBdcUcPWMW

tmARAqx1h992Qpfj4JXpwLZc5mfSQaTwQVaSrEGhYRKI3rpdUGvn7+CruXkYAnB7

M=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=0.5 required=5.0 tests=AWL,BAYES_50,EXECUTABLE_URI,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=D*cygwin.org, U*security, kanthak, cve

X-HELO: mx1.redhat.com

Subject: Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory

To: cygwin AT cygwin DOT com, stefan DOT kanthak AT nexgo DOT de

References: <EF7B6182B7C54BBAA5083C40EF14529D AT W340>

From: Eric Blake <eblake AT redhat DOT com>

Openpgp: url=http://people.redhat.com/eblake/eblake.gpg

Message-ID: <568EA2DC.3020900@redhat.com>

Date: Thu, 7 Jan 2016 10:39:40 -0700

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0

MIME-Version: 1.0

In-Reply-To: <EF7B6182B7C54BBAA5083C40EF14529D@W340>

X-IsSubscribed: yes

--mN9peBD8CKnkVrkebV8SKU0ee5UairlEm
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 01/06/2016 07:17 AM, Stefan Kanthak wrote:
> Second and last chance!
> See <http://home.arcor.de/skanthak/policy.html>

Your policy page mentions a 45-day window, but:

>=20
> ----- Original Message -----=20
> From: "Stefan Kanthak" <stefan DOT kanthak AT nexgo DOT de>
> To: <security AT cygwin DOT org>
> Cc: <security AT redhat DOT com>
> Sent: Monday, December 28, 2015 4:23 AM

If this was your original off-list post, you just violated your own
policy, since you included cygwin AT cygwin.com which is a public list
on the ping, and thereby made the issue public, without waiting 45 days.


>> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
>>   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
>>   it as UXTheme.dll in your "Downloads" directory;
>>
>> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;

You do realize that Windows XP is unsupported by Microsoft; if your
exploit requires an unsupported OS, does it really deserve a fix?

>>
>> I'll publish in 45 days.
>> See <http://home.arcor.de/skanthak/policy.html> and return the
>> CVE identifier assigned for this vulnerability to me!

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--mN9peBD8CKnkVrkebV8SKU0ee5UairlEm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJWjqLcAAoJEKeha0olJ0NqLeAH+QEXXZz1NBbI2u+r9uTGpAsz
xYVoIdQf09qA95T4/3u1nbqWFYLj5K6T1W8VIiS7yJLxYQYTixIWO5yuCWHgck7y
4t+gYiwI3ZEsXjRPSasLEHlRHO8kboOu9GnKZ4nm98YXK5ouU2twIPgnGN2ysfq9
o4656pvV/NUrTYALXi008ouKN/28fb+tvrP/95VZq0+F9HbpeEu8m1Rc6PEbXLx+
3vrJvkOt3DaQowRv7fsorco7+8wXS0Wr/z+TVdsCQEfAqwtSR+0yfn8C0/QrARJE
9pKxoAVOdD9ygazvBucBxo6XUr42erJ2VpM7GbHkPjpF2RmZEPqSTiUQlJrZiS8=
=vz7f
-----END PGP SIGNATURE-----

--mN9peBD8CKnkVrkebV8SKU0ee5UairlEm--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; q=dns; s=default; b=ZF9/
	t1lX/JnxlcjaEMtHhvkBrDJZueeOvaalIAJLpKyMHAz+keUpctBxho7DT7+DY+SA
	ccHxMClKE0ZjR+f+BFacuMvf+ARBtOTgWsrG98Q2+N49N5eHMQjZ9jTx0zay26tP
	To4jhtb8xU69HPNgjlxa9Ut/P8NKzPsvV/XG4yM=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; s=default; bh=lm0DDDI/8Q
	BNzuQ+3tDmCdmvUr4=; b=mTfXt+PGjeYsP6/V2s3GvwwzUE1VvrUv/PX68i0N9p
	dLKYjMaLO7DuokrOuNn9qo5XA6RNoX5wZwM1sKvtiFCcKQmbnfPu6HUBdcUcPWMW
	tmARAqx1h992Qpfj4JXpwLZc5mfSQaTwQVaSrEGhYRKI3rpdUGvn7+CruXkYAnB7
	M=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=0.5 required=5.0 tests=AWL,BAYES_50,EXECUTABLE_URI,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=Dcygwin.org, Usecurity, kanthak, cve
X-HELO:	mx1.redhat.com
Subject:	Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
To:	cygwin AT cygwin DOT com, stefan DOT kanthak AT nexgo DOT de
References:	<EF7B6182B7C54BBAA5083C40EF14529D AT W340>
From:	Eric Blake <eblake AT redhat DOT com>
Openpgp:	url=http://people.redhat.com/eblake/eblake.gpg
Message-ID:	<568EA2DC.3020900@redhat.com>
Date:	Thu, 7 Jan 2016 10:39:40 -0700
User-Agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version:	1.0
In-Reply-To:	<EF7B6182B7C54BBAA5083C40EF14529D@W340>
X-IsSubscribed:	yes