commit 4a145590d0e636e3acdd1f00037429771e64e3b8 Author: Kathy Brade brade@pearlcrescent.com Date: Fri Mar 20 15:40:23 2015 -0400
Bug 15201: Windows: disable "runas" code path in updater.
Instead of using "runas" to try to elevate privileges, the updater now fails if the user does not have permission to apply an update. This avoids potential security issues such as CVE-2015-0833. --- toolkit/mozapps/update/updater/updater.cpp | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp index ee7e245..3ba92b3 100644 --- a/toolkit/mozapps/update/updater/updater.cpp +++ b/toolkit/mozapps/update/updater/updater.cpp @@ -3033,6 +3033,16 @@ int NS_main(int argc, NS_tchar **argv) // using the service is because we are testing. if (!useService && !noServiceFallback && updateLockFileHandle == INVALID_HANDLE_VALUE) { +#ifdef TOR_BROWSER_UPDATE + // Because the user profile is contained within the Tor Browser + // installation directory, the user almost certainly has permission to + // apply updates. Therefore, to avoid potential security issues such + // as CVE-2015-0833, do not attempt to elevate privileges. Instead, + // write a "failed" message to the update status file (this function + // will return immediately after the CloseHandle(elevatedFileHandle) + // call below). + WriteStatusFile(WRITE_ERROR_ACCESS_DENIED); +#else SHELLEXECUTEINFO sinfo; memset(&sinfo, 0, sizeof(SHELLEXECUTEINFO)); sinfo.cbSize = sizeof(SHELLEXECUTEINFO); @@ -3054,6 +3064,7 @@ int NS_main(int argc, NS_tchar **argv) } else { WriteStatusFile(ELEVATION_CANCELED); } +#endif }
if (argc > callbackIndex) {