On Tue, Feb 21, 2023 at 10:15 AM Philippe Mathieu-Daudé <phi...@linaro.org> wrote:
> On 20/2/23 18:41, Konstantin Kostiuk wrote: > > resolves: rhbz#2167436 > > "You are not authorized to access bug #2167436." > > > fixes: CVE-2023-0664 > > This commit description is rather scarce... > > I understand you are trying to fix a CVE, but we shouldn't play > the "security by obscurity" card. How can the community and > distributions know this security fix is enough with the bare > "Remove change action from MSI installer" justification? > Can't we do better? > This patch is part of the fix. I remove the 'change' button because the installer has no components to choose from and the installer always installs everything. The second patch removes the interactive command shell. > > > Signed-off-by: Konstantin Kostiuk <kkost...@redhat.com> > > --- > > qga/installer/qemu-ga.wxs | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs > > index 51340f7ecc..feb629ec47 100644 > > --- a/qga/installer/qemu-ga.wxs > > +++ b/qga/installer/qemu-ga.wxs > > @@ -31,6 +31,7 @@ > > /> > > <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" > EmbedCab="yes" /> > > <Property Id="WHSLogo">1</Property> > > + <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" /> > > <MajorUpgrade > > DowngradeErrorMessage="Error: A newer version of QEMU guest > agent is already installed." > > /> > > -- > > 2.25.1 > > > > > >
