On 20/2/23 18:41, Konstantin Kostiuk wrote:
> resolves: rhbz#2167436
"You are not authorized to access bug #2167436."
> fixes: CVE-2023-0664
This commit description is rather scarce...
I understand you are trying to fix a CVE, but we shouldn't play
the "security by obscurity" card. How can the community and
distributions know this security fix is enough with the bare
"Remove change action from MSI installer" justification?
Can't we do better?
This patch is part of the fix. I remove the 'change' button because
the installer has no components to choose from and the installer
always installs everything.
The second patch removes the interactive command shell.
> Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> ---
> qga/installer/qemu-ga.wxs | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> index 51340f7ecc..feb629ec47 100644
> --- a/qga/installer/qemu-ga.wxs
> +++ b/qga/installer/qemu-ga.wxs
> @@ -31,6 +31,7 @@
> />
> <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
> <Property Id="WHSLogo">1</Property>
> + <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
> <MajorUpgrade
> DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
> />
> --
> 2.25.1
>
>