[1/2] qga/win32: Remove change action from MSI installer

Commit Message

Konstantin Kostiuk Feb. 20, 2023, 5:41 p.m. UTC

resolves: rhbz#2167436
fixes: CVE-2023-0664

Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
---
 qga/installer/qemu-ga.wxs | 1 +
 1 file changed, 1 insertion(+)

--
2.25.1

Comments

Yan Vugenfirer Feb. 21, 2023, 7:47 a.m. UTC | #1

Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>

On Mon, Feb 20, 2023 at 7:41 PM Konstantin Kostiuk <kkostiuk@redhat.com> wrote:
>
> resolves: rhbz#2167436
> fixes: CVE-2023-0664
>
> Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> ---
>  qga/installer/qemu-ga.wxs | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> index 51340f7ecc..feb629ec47 100644
> --- a/qga/installer/qemu-ga.wxs
> +++ b/qga/installer/qemu-ga.wxs
> @@ -31,6 +31,7 @@
>        />
>      <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
>      <Property Id="WHSLogo">1</Property>
> +    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
>      <MajorUpgrade
>        DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
>        />
> --
> 2.25.1
>

Philippe Mathieu-Daudé Feb. 21, 2023, 8:15 a.m. UTC | #2

On 20/2/23 18:41, Konstantin Kostiuk wrote:
> resolves: rhbz#2167436

"You are not authorized to access bug #2167436."

> fixes: CVE-2023-0664

This commit description is rather scarce...

I understand you are trying to fix a CVE, but we shouldn't play
the "security by obscurity" card. How can the community and
distributions know this security fix is enough with the bare
"Remove change action from MSI installer" justification?
Can't we do better?

> Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> ---
>   qga/installer/qemu-ga.wxs | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> index 51340f7ecc..feb629ec47 100644
> --- a/qga/installer/qemu-ga.wxs
> +++ b/qga/installer/qemu-ga.wxs
> @@ -31,6 +31,7 @@
>         />
>       <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
>       <Property Id="WHSLogo">1</Property>
> +    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
>       <MajorUpgrade
>         DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
>         />
> --
> 2.25.1
> 
>

Mauro Matteo Cascella Feb. 21, 2023, 9:06 a.m. UTC | #3

Hi Philippe,

On Tue, Feb 21, 2023 at 9:15 AM Philippe Mathieu-Daudé
<philmd@linaro.org> wrote:
>
> On 20/2/23 18:41, Konstantin Kostiuk wrote:
> > resolves: rhbz#2167436
>
> "You are not authorized to access bug #2167436."

Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=2167423.
It should now be accessible.

> > fixes: CVE-2023-0664
>
> This commit description is rather scarce...
>
> I understand you are trying to fix a CVE, but we shouldn't play
> the "security by obscurity" card. How can the community and
> distributions know this security fix is enough with the bare
> "Remove change action from MSI installer" justification?
> Can't we do better?

CCing Brian Wiltse, who originally found and reported this issue.

Reported-by: Brian Wiltse <brian.wiltse@live.com>

> > Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> > ---
> >   qga/installer/qemu-ga.wxs | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> > index 51340f7ecc..feb629ec47 100644
> > --- a/qga/installer/qemu-ga.wxs
> > +++ b/qga/installer/qemu-ga.wxs
> > @@ -31,6 +31,7 @@
> >         />
> >       <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
> >       <Property Id="WHSLogo">1</Property>
> > +    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
> >       <MajorUpgrade
> >         DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
> >         />
> > --
> > 2.25.1
> >
> >
>

Konstantin Kostiuk Feb. 21, 2023, 9:33 a.m. UTC | #4

On Tue, Feb 21, 2023 at 10:15 AM Philippe Mathieu-Daudé <philmd@linaro.org>
wrote:

> On 20/2/23 18:41, Konstantin Kostiuk wrote:
> > resolves: rhbz#2167436
>
> "You are not authorized to access bug #2167436."
>
> > fixes: CVE-2023-0664
>
> This commit description is rather scarce...
>
> I understand you are trying to fix a CVE, but we shouldn't play
> the "security by obscurity" card. How can the community and
> distributions know this security fix is enough with the bare
> "Remove change action from MSI installer" justification?
> Can't we do better?
>

This patch is part of the fix. I remove the 'change' button because
the installer has no components to choose from and the installer
always installs everything.

The second patch removes the interactive command shell.


>
> > Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> > ---
> >   qga/installer/qemu-ga.wxs | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> > index 51340f7ecc..feb629ec47 100644
> > --- a/qga/installer/qemu-ga.wxs
> > +++ b/qga/installer/qemu-ga.wxs
> > @@ -31,6 +31,7 @@
> >         />
> >       <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab"
> EmbedCab="yes" />
> >       <Property Id="WHSLogo">1</Property>
> > +    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
> >       <MajorUpgrade
> >         DowngradeErrorMessage="Error: A newer version of QEMU guest
> agent is already installed."
> >         />
> > --
> > 2.25.1
> >
> >
>
>

Daniel P. Berrangé Feb. 21, 2023, 10:17 a.m. UTC | #5

On Tue, Feb 21, 2023 at 09:15:15AM +0100, Philippe Mathieu-Daudé wrote:
> On 20/2/23 18:41, Konstantin Kostiuk wrote:
> > resolves: rhbz#2167436
> 
> "You are not authorized to access bug #2167436."
> 
> > fixes: CVE-2023-0664
> 
> This commit description is rather scarce...
> 
> I understand you are trying to fix a CVE, but we shouldn't play
> the "security by obscurity" card. How can the community and
> distributions know this security fix is enough with the bare
> "Remove change action from MSI installer" justification?
> Can't we do better?

Yes, commit messages should always describe the problem being
solved directly. Bug trackers usually make people wade through
piles of irrelevant comments & potentially misleading blind
alleys during the back & forth of triage. The important info
needs to be distilled down and put in the commit message,
concisely describing the problem faced. Bug tracker links have
been known to bit-rot too.

The commit message needs to focus on /why/ the change was made,
much more than describing /what/ was changed.

> > Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> > ---
> >   qga/installer/qemu-ga.wxs | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> > index 51340f7ecc..feb629ec47 100644
> > --- a/qga/installer/qemu-ga.wxs
> > +++ b/qga/installer/qemu-ga.wxs
> > @@ -31,6 +31,7 @@
> >         />
> >       <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
> >       <Property Id="WHSLogo">1</Property>
> > +    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
> >       <MajorUpgrade
> >         DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
> >         />

With regards,
Daniel

Patch

diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
index 51340f7ecc..feb629ec47 100644
--- a/qga/installer/qemu-ga.wxs
+++ b/qga/installer/qemu-ga.wxs
@@ -31,6 +31,7 @@ 
       />
     <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
     <Property Id="WHSLogo">1</Property>
+    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
     <MajorUpgrade
       DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
       />