Updated: setup (2.930)

Updated: setup (2.930)

[Jon Turney]

A new version of Setup (2.930) has been uploaded to:

  https://cygwin.com/setup-x86_64.exe  (64 bit version)
  https://cygwin.com/setup-x86.exe     (32 bit version)

Changes compared to 2.929:

- Add some hardening against "DLL hijacking" attacks (Thanks to Corinna 
Vinschen for doing all the thinking involved)

Briefly, these attacks involve tricking you into downloading a malicious 
DLL with the same name as a Windows system DLL into the same directory 
you download and then run setup from.


Replies to this message are not the place for setup feature requests.

For instructions on obtaining and building the source code for setup, 
see https://sourceware.org/cygwin-apps/setup.html

Please send bug reports, as usual, to the public mailing list cygwin AT 
cygwin DOT com.

Re: Updated: setup (2.930)

[Kaz Kylheku]

On 2024-02-07 11:57, Jon Turney via Cygwin wrote:
> A new version of Setup (2.930) has been uploaded to:
> 
>  https://cygwin.com/setup-x86_64.exe  (64 bit version)
>  https://cygwin.com/setup-x86.exe     (32 bit version)
> 
> Changes compared to 2.929:
> 
> - Add some hardening against "DLL hijacking" attacks (Thanks to Corinna Vinschen for doing all the thinking involved)

Is this because of the report submitted by Suman Chakraborty?

I didn't see any public response confirming that there is any problem,and that that action would be taken.

I see the commit: https://cygwin.com/cgit/cygwin-apps/setup/commit/?id=0122154811bacdd7dc042cff0c80bb0a36af360c

I'm curious, what improvement arises out of looking up the SetDefaultDllDirectories
function dynamically in kernel32.dll?

Is it the case that malicious software can interpose itself somehow such that
the statically linked SetDefaultDllDirectories call goes elsewhere other than
kernel32.dll, which we can thwart by asking for the genuine article in kernel32.dll?

(If this fixes the problem for Suman, he has some malware or antivirus crap on his PC.)