On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote: > 1. Executive Summary: > > The vulnerability pertains to not finding > the profapi.dll, CFGMGR32.dll, edputil.dll, urlmon.dll, SspiCli.dll, > Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL, > PROPSYS.dll and insecure loading of dynamic link libraries (DLLs), > specifically profapi.dll. If exploited, this vulnerability could allow an > attacker to execute arbitrary code on a victim's machine, potentially > leading to data breaches, system compromise, and other malicious activities.
By what means is setup.exe probing these DLLs? I don't see any references to profapi.dll in its source tree (git grep -i profapi turns up nothing). If these DLL's being missing doesn't stop the program from running, doesn't that mean it's just probing for them with LoadLibrary or LoadLibraryEx explicitly, and then handling the failure gracefully? Setup itself doesn't use LoadLibrary or LoadLibraryEx. The MinGW toolchain must be introducing that somehow? It is curious. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
