X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type; q=dns; s=default; b=ZF9/ t1lX/JnxlcjaEMtHhvkBrDJZueeOvaalIAJLpKyMHAz+keUpctBxho7DT7+DY+SA ccHxMClKE0ZjR+f+BFacuMvf+ARBtOTgWsrG98Q2+N49N5eHMQjZ9jTx0zay26tP To4jhtb8xU69HPNgjlxa9Ut/P8NKzPsvV/XG4yM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type; s=default; bh=lm0DDDI/8Q BNzuQ+3tDmCdmvUr4=; b=mTfXt+PGjeYsP6/V2s3GvwwzUE1VvrUv/PX68i0N9p dLKYjMaLO7DuokrOuNn9qo5XA6RNoX5wZwM1sKvtiFCcKQmbnfPu6HUBdcUcPWMW tmARAqx1h992Qpfj4JXpwLZc5mfSQaTwQVaSrEGhYRKI3rpdUGvn7+CruXkYAnB7 M= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.5 required=5.0 tests=AWL,BAYES_50,EXECUTABLE_URI,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=D*cygwin.org, U*security, kanthak, cve X-HELO: mx1.redhat.com Subject: Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory To: cygwin AT cygwin DOT com, stefan DOT kanthak AT nexgo DOT de References: From: Eric Blake Openpgp: url=http://people.redhat.com/eblake/eblake.gpg Message-ID: <568EA2DC.3020900@redhat.com> Date: Thu, 7 Jan 2016 10:39:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mN9peBD8CKnkVrkebV8SKU0ee5UairlEm" X-IsSubscribed: yes --mN9peBD8CKnkVrkebV8SKU0ee5UairlEm Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/06/2016 07:17 AM, Stefan Kanthak wrote: > Second and last chance! > See Your policy page mentions a 45-day window, but: >=20 > ----- Original Message -----=20 > From: "Stefan Kanthak" > To: > Cc: > Sent: Monday, December 28, 2015 4:23 AM If this was your original off-list post, you just violated your own policy, since you included cygwin AT cygwin.com which is a public list on the ping, and thereby made the issue public, without waiting 45 days. >> 1. visit , download >> and save >> it as UXTheme.dll in your "Downloads" directory; >> >> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll; You do realize that Windows XP is unsupported by Microsoft; if your exploit requires an unsupported OS, does it really deserve a fix? >> >> I'll publish in 45 days. >> See and return the >> CVE identifier assigned for this vulnerability to me! --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --mN9peBD8CKnkVrkebV8SKU0ee5UairlEm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJWjqLcAAoJEKeha0olJ0NqLeAH+QEXXZz1NBbI2u+r9uTGpAsz xYVoIdQf09qA95T4/3u1nbqWFYLj5K6T1W8VIiS7yJLxYQYTixIWO5yuCWHgck7y 4t+gYiwI3ZEsXjRPSasLEHlRHO8kboOu9GnKZ4nm98YXK5ouU2twIPgnGN2ysfq9 o4656pvV/NUrTYALXi008ouKN/28fb+tvrP/95VZq0+F9HbpeEu8m1Rc6PEbXLx+ 3vrJvkOt3DaQowRv7fsorco7+8wXS0Wr/z+TVdsCQEfAqwtSR+0yfn8C0/QrARJE 9pKxoAVOdD9ygazvBucBxo6XUr42erJ2VpM7GbHkPjpF2RmZEPqSTiUQlJrZiS8= =vz7f -----END PGP SIGNATURE----- --mN9peBD8CKnkVrkebV8SKU0ee5UairlEm--