[wix-users] WiX v3.10.2 Important Security Fix Release

Andreas Buchner Andreas.Buchner at inloox.com
Fri Jan 22 06:39:54 PST 2016 

No, only burn as Rob mentioned here:
https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/
Note that MSI packages and patches are not affected by this Windows vulnerability. They are executed by the Windows Installer service which lives in the Windows system folder and therefore isn't vulnerable to DLL hijacking like downloaded executables.


-----Ursprüngliche Nachricht-----
Von: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] Im Auftrag von RonnyS
Gesendet: Freitag, 22. Januar 2016 14:58
An: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Betreff: Re: [wix-users] WiX v3.10.2 Important Security Fix Release

Are only "Burn" installation of this security problem affected?
Or also single MSI Installation?

2016-01-22 8:49 GMT+01:00 Andreas Buchner <Andreas.Buchner at inloox.com>:

> Rob, thanks for providing these information.
> I´ve created a small application (just opening a WinForm) with and 
> without calling SetDefaultDllDirectories .
> Even if I compile the Application with .Net 4.5.2 I´m getting the same 
> exception when calling SetDefaultDllDirectories in Win7x86 and Win7x64 
> (Server 2008R2 not tested yet).
>
> Does anyone have an idea for a workaround on this? :)
>
> Regards,
> Andreas Buchner
>
>
> -----Ursprüngliche Nachricht-----
> Von: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] Im 
> Auftrag von Rob Mensching
> Gesendet: Freitag, 22. Januar 2016 01:46
> An: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Betreff: Re: [wix-users] WiX v3.10.2 Important Security Fix Release
>
> Andreas,
>
> First, make sure you're running a supported .NET Framework:
> http://blogs.msdn.com/b/dotnet/archive/2015/12/09/support-ending-for-t
> he-net-framework-4-4-5-and-4-5-1.aspx
>
> If the issue still happens in a supported .NET Framework, open a new 
> Connect bug.
>
> Apparently the old Connect bug (listed below) is ignored since it's 
> open against unsupported products.
>
> _____________________________________________________________
>  Short replies here. Complete answers over there:
> http://www.firegiant.com/
>
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On 
> Behalf Of Rob Mensching
> Sent: Thursday, January 21, 2016 11:55 AM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] WiX v3.10.2 Important Security Fix Release
>
> Looks like a long standing bug in WinForms:
> https://connect.microsoft.com/VisualStudio/feedback/details/806981/add
> dlldirectory-and-setdefaultdlldirectories-causes-crash-in-windows-form
> s-application
>
> _____________________________________________________________
>  Short replies here. Complete answers over there:
> http://www.firegiant.com/
>
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On 
> Behalf Of Andreas Buchner
> Sent: Thursday, January 21, 2016 10:42 AM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] WiX v3.10.2 Important Security Fix Release
>
> Hi Everyone,
>
> today we upgraded our bootstrapper(s) from 3.10.1.2213 to 3.10.2.2516. 
> The new compiled bootstrapper can´t be started on Win7 and Server 2008 
> operating systems (Vista, Win8.1, Win 10 works). I get the following
> exception:
>
> System.ArgumentException: Font '?' cannot be found.
> bei System.Drawing.FontFamily.GetGdipGenericSansSerif()
>    bei System.Drawing.FontFamily.get_GenericSansSerif()
>    bei System.Drawing.SystemFonts.get_DefaultFont()
>    bei System.Windows.Forms.Control.get_DefaultFont()
>    bei System.Windows.Forms.Control.get_Font()
>    bei System.Windows.Forms.Control.AssignParent(Control value)
>    bei System.Windows.Forms.Control.ControlCollection.Add(Control value)
>    bei System.Windows.Forms.TableLayoutControlCollection.Add(Control
> control, Int32 column, Int32 row)
>    bei .InstallDialog.InitializeComponent()
>
> We double checked this issue to get sure that the only difference is 
> the new version of wix. Can anyone imagine how the new version can 
> cause this issue?
> I´m not sure if the issue is only related to the operating system or a 
> combination of OS and installed .Net framework version.
>
> Thanks in advance!
> Regards,
>
> Andreas Buchner
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list