#2029 About Winmerge & Microsoft Security Advisory (2269637)



It turns out that Winmerge is affected by the DLL hijacking security issue detailed in this MS bulletin: http://www.microsoft.com/technet/security/advisory/2269637.mspx, as shown by executing DLLHijackAuditKit v2 (http://blog.metasploit.com/2010/08/better-faster-stronger.html) on a station with Winmerge installed.
Please, could you plan any very short term fix?


  • Requin

    Requin - 2010-08-30
    • priority: 5 --> 9
  • Kimmo Varis

    Kimmo Varis - 2010-08-30

    No short term fix for 2.12 at least. I don't even have environment I could build 2.12 anymore (needing old version of Visual Studio).

    If its about plugins, they are not installed by default. And using them is open to many kinds of nasty bugs.

    For next release I can just disable plugins loading totally (about time!).

  • Requin

    Requin - 2010-08-30

    This is a serious issue FMPOV (and not only mine ;-), so not really a problem if it is not in a 2.12 patch, the important is to get a version fixing this issue, whatever it is 2.13 or something else.
    Concerning the relation to "plugins", actually I had to choose a category while submitting the bug, so I picked "plugins" that was the one I expect to be more likely affected. However, as the issue is present as soon as LoadLibrary is used without specifying the full path for the DLL, I think other parts of the application may be concerned. BTW, DLLHijackAuditKit v2 indicated that Winmerge was affected at least when loading mfc71loc.dll. And as it loads the app itself, I guess this is default behavior not related to plugins...

  • Requin

    Requin - 2010-08-31

    Here is the output I get on W7 with DLLHijackAuditKit v2:
    [*] Application: winmergeu.exe
    [*] Successfully exploited winmergeu.exe with .winmerge using mfc71enu.dll
    [*] Successfully exploited winmergeu.exe with .winmerge using mfc71loc.dll

  • Kimmo Varis

    Kimmo Varis - 2010-08-31

    Well, those DLLs are loaded by MS's other runtime DLLs, not by WinMerge code.

    Which means we have to update to later(/latest) runtime versions. Which is dead end for 2.12.x versions.

    2.13.x already uses VS 2005 runtimes. So if those runtimes are not vulnerable then the bug is already fixed in 2.13.x. If not, then we need to update to VS2008 runtimes. Luckily that is much less painful than update from VS 2003 runtimes was.

    Getting 2.14.x stable release out takes few months. There is no really way to make it fast process. Somebody needs to update documentation, we need to give translators time to update translations. And there are plenty of bugs to fix.

  • Kimmo Varis

    Kimmo Varis - 2010-08-31
    • labels: 591208 -->
  • Takashi Sawanaka

    Committed to SVN trunk. Completed: At revision: 7244

  • Kimmo Varis

    Kimmo Varis - 2010-09-13

    List of vulnerable applications URL picked from duplicate bug (#3064516):

    This got a lot more publicity than I thought of and WinMerge got its own Secunia advisory for this:

    So there is no other way than do new 2.12.x stable release. It will be painful and somewhat risky thing to do as it will be a lot more than this security fix. But we can't leave all users vulnerable either.

    Takashi, can you merge/port your fix to R2_12 branch also?

  • Kimmo Varis

    Kimmo Varis - 2010-09-13
    • milestone: 102450 --> Branch_+_Trunk
  • Takashi Sawanaka

    >Takashi, can you merge/port your fix to R2_12 branch also?

    Committed to R2_12 branch. Completed: At revision: 7259

  • Kimmo Varis

    Kimmo Varis - 2010-09-25
    • assigned_to: nobody --> sdottaka
    • status: open --> open-fixed
  • Kimmo Varis

    Kimmo Varis - 2010-09-25

    Changing resolution to fixed since the fix is committed to SVN and also released as latest experimental release.

    Stable release is not yet available and it is best to keep this bug item open until that happens to avoid lots of duplicate bugs.

  • Frank Delano

    Frank Delano - 2010-12-07

    Does this mean a new stable release will be release?

    I also saw the note on the user forums saying the current release is infected with malware, so maybe it be removed?

  • Kimmo Varis

    Kimmo Varis - 2010-12-07

    Do you really think we distribute malware for users for over an year? The way virus checkers and other malware finders works means there will be occasional false positives. This seems to happen once in a year for WinMerge (InnoSetup installer seems to cause many false alarms).

    The release happens when people have time to do all the work for it.

  • Christian List

    Christian List - 2013-02-03
    • status: open-fixed --> closed-fixed

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks