Updated: setup (2.930)

Updated: setup (2.930)

[Jon Turney]

A new version of Setup (2.930) has been uploaded to:

  https://cygwin.com/setup-x86_64.exe  (64 bit version)
  https://cygwin.com/setup-x86.exe     (32 bit version)

Changes compared to 2.929:

- Add some hardening against "DLL hijacking" attacks (Thanks to Corinna 
Vinschen for doing all the thinking involved)

Briefly, these attacks involve tricking you into downloading a malicious 
DLL with the same name as a Windows system DLL into the same directory 
you download and then run setup from.


Replies to this message are not the place for setup feature requests.

For instructions on obtaining and building the source code for setup, 
see https://sourceware.org/cygwin-apps/setup.html

Please send bug reports, as usual, to the public mailing list cygwin AT 
cygwin DOT com.

Re: Updated: setup (2.930)

[Kaz Kylheku]

On 2024-02-07 11:57, Jon Turney via Cygwin wrote:
> A new version of Setup (2.930) has been uploaded to:
> 
>  https://cygwin.com/setup-x86_64.exe  (64 bit version)
>  https://cygwin.com/setup-x86.exe     (32 bit version)
> 
> Changes compared to 2.929:
> 
> - Add some hardening against "DLL hijacking" attacks (Thanks to Corinna Vinschen for doing all the thinking involved)

Is this because of the report submitted by Suman Chakraborty?

I didn't see any public response confirming that there is any problem,and that that action would be taken.

I see the commit: https://cygwin.com/cgit/cygwin-apps/setup/commit/?id=0122154811bacdd7dc042cff0c80bb0a36af360c

I'm curious, what improvement arises out of looking up the SetDefaultDllDirectories
function dynamically in kernel32.dll?

Is it the case that malicious software can interpose itself somehow such that
the statically linked SetDefaultDllDirectories call goes elsewhere other than
kernel32.dll, which we can thwart by asking for the genuine article in kernel32.dll?

(If this fixes the problem for Suman, he has some malware or antivirus crap on his PC.)

Re: Updated: setup (2.930)

[Jon Turney]

On 09/02/2024 02:17, Kaz Kylheku via Cygwin wrote:
> 
> I see the commit: https://cygwin.com/cgit/cygwin-apps/setup/commit/?id=0122154811bacdd7dc042cff0c80bb0a36af360c
> 
> I'm curious, what improvement arises out of looking up the SetDefaultDllDirectories
> function dynamically in kernel32.dll?
> 
> Is it the case that malicious software can interpose itself somehow such that
> the statically linked SetDefaultDllDirectories call goes elsewhere other than
> kernel32.dll, which we can thwart by asking for the genuine article in kernel32.dll?

You're looking at the wrong commit there.

The dynamic lookup merely ensures that setup continues to work at all on 
Windows versions (<6.0), which don't support that function.

Instead look at:

https://cygwin.com/cgit/cygwin-apps/setup/commit/?id=86c0ada12dce4403a9b796380fde9e5c1824734f

Re: Updated: setup (2.930)

[Michael Soegtrop]

Hi Jon,

 > A new version of Setup (2.930) has been uploaded to:
 >
 >   https://cygwin.com/setup-x86_64.exe  (64 bit version)
 >   https://cygwin.com/setup-x86.exe     (32 bit version)

apparently this update broke the 32 bit install of cygwin. I am still 
having this in my nightly CI (Coq Platform) and it broke the night 7th 
to 8th. I checked locally and apparently the list of mirrors is empty 
and giving any mirror on the command line leads to an exit of setup 
without any error message. I tried e.g.:

"C:\bin\cygwin_cache\setup-x86.exe" --proxy " " --site 
"https://mirrors.kernel.org/sourceware/cygwin" --root 
"C:\bin\cygw32_coq_platform" --local-package-dir "C:\bin\cygwin_cache" 
--no-shortcuts --allow-unsupported-windows -q --no-admin

I checked the specific mirror I gave and the x86 packages appear to be 
still there.

This is 100% reproducible locally and in GitHub CI

Best regards,

Michael

Re: Updated: setup (2.930)

[Jon Turney]

On 09/02/2024 14:05, Michael Soegtrop via Cygwin wrote:
> Hi Jon,
> 
>  > A new version of Setup (2.930) has been uploaded to:
>  >
>  >   https://cygwin.com/setup-x86_64.exe  (64 bit version)
>  >   https://cygwin.com/setup-x86.exe     (32 bit version)
> 
> apparently this update broke the 32 bit install of cygwin. I am still 
> having this in my nightly CI (Coq Platform) and it broke the night 7th 
> to 8th. I checked locally and apparently the list of mirrors is empty 
> and giving any mirror on the command line leads to an exit of setup 
> without any error message. I tried e.g.:

Thanks for reporting this.

For the time being, I've reverted the URL to point to the previous 
32-bit build, while I investigate.

Re: Updated: setup (2.930)

[Corinna Vinschen]

On Feb  9 13:36, Jon Turney via Cygwin wrote:
> On 09/02/2024 02:17, Kaz Kylheku via Cygwin wrote:
> > 
> > I see the commit: https://cygwin.com/cgit/cygwin-apps/setup/commit/?id=0122154811bacdd7dc042cff0c80bb0a36af360c
> > 
> > I'm curious, what improvement arises out of looking up the SetDefaultDllDirectories
> > function dynamically in kernel32.dll?
> > 
> > Is it the case that malicious software can interpose itself somehow such that
> > the statically linked SetDefaultDllDirectories call goes elsewhere other than
> > kernel32.dll, which we can thwart by asking for the genuine article in kernel32.dll?
> 
> You're looking at the wrong commit there.
> 
> The dynamic lookup merely ensures that setup continues to work at all on
> Windows versions (<6.0), which don't support that function.

Typo.  Windows < 6.2.  SetDefaultDllDirectories has been introduced with
Windows 8.


Corinna

Re: Updated: setup (2.930)

[Michael Soegtrop]

Hi Jon,

> Thanks for reporting this.
> 
> For the time being, I've reverted the URL to point to the previous 
> 32-bit build, while I investigate.

Thanks for the quick action! I can confirm that this fixed my CI (at 
least it starts to install Cygwin).

Best regards,

Michael

Re: Updated: setup (2.930)

[Corinna Vinschen]

On Feb  9 17:20, Corinna Vinschen via Cygwin wrote:
> On Feb  9 13:36, Jon Turney via Cygwin wrote:
> > On 09/02/2024 02:17, Kaz Kylheku via Cygwin wrote:
> > > 
> > > I see the commit: https://cygwin.com/cgit/cygwin-apps/setup/commit/?id=0122154811bacdd7dc042cff0c80bb0a36af360c
> > > 
> > > I'm curious, what improvement arises out of looking up the SetDefaultDllDirectories
> > > function dynamically in kernel32.dll?
> > > 
> > > Is it the case that malicious software can interpose itself somehow such that
> > > the statically linked SetDefaultDllDirectories call goes elsewhere other than
> > > kernel32.dll, which we can thwart by asking for the genuine article in kernel32.dll?
> > 
> > You're looking at the wrong commit there.
> > 
> > The dynamic lookup merely ensures that setup continues to work at all on
> > Windows versions (<6.0), which don't support that function.
> 
> Typo.  Windows < 6.2.  SetDefaultDllDirectories has been introduced with
> Windows 8.

...and with KB2533623 it was also backported to Vista, W7, and the
equivalent server versions, so just ignore me.

Corinna