Headline
CVE-2022-46330: Better delay load urlmon and move official build to GH Actions by robmen · Pull Request #1807 · Squirrel/Squirrel.Windows
Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows 2.0.1 and earlier contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer.
Conversation
First update the project to reduce the number of linked libraries and ensure the most likely non-OS loaded DLLS are delay loaded. Then simplify the DLL hijack mitigation to always dynamically link to SetDefaultDllDirectories in case Squirrel is used on and old Win7 that is missing the necessary KB.
The “build_official.cmd” now creates all of the build artifacts and the “devbuild.cmd” is a quick way for developers to get a build from the command-line. With these two batch files in place, move the official build pipeline from Azure DevOps to GitHub Actions.
robmen deleted the robmen/urlmon-ghactions branch
May 31, 2022