[wix-users] Workaround GDI+ security vulnerability

Stewart Lynch stewartlynch8 at gmail.com
Thu May 26 13:04:35 PDT 2016 

Thank you. I have submitted my bug with all of the information and attached
files. Let me know if there's anything else that you need.

https://github.com/wixtoolset/issues/issues/5308

Many thanks,

Stewart.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of
Sean Hall
Sent: 26 May 2016 20:11
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] Workaround GDI+ security vulnerability

Please file a bug at https://github.com/wixtoolset/issues/issues and attach
the logs there (this list doesn't support attachments).  Make sure to
include steps that we can take to reproduce the issue.

On Thu, May 26, 2016 at 1:10 PM, Stewart Lynch <stewartlynch8 at gmail.com>
wrote:

> Scratch that. It's still not working with the latest version. I really 
> don't know what to do now.
>
>
> -----Original Message-----
> From: Stewart Lynch [mailto:stewartlynch8 at gmail.com]
> Sent: 26 May 2016 18:40
> To: 'WiX Toolset Users Mailing List' <wix-users at lists.wixtoolset.org>
> Subject: RE: [wix-users] Workaround GDI+ security vulnerability
>
> This appears to be fixed in v3.10.3.2924. If both the old and new 
> installers have been built with that version of Wix updating works. It 
> would be good to have a conformation that this has actually been 
> fixed.
>
> This doesn't help my clients that have installed the version built 
> with v3.10.3.2917, I'll have to tell them to uninstall manually.
>
>
>
> -----Original Message-----
> From: Stewart Lynch [mailto:stewartlynch8 at gmail.com]
> Sent: 26 May 2016 18:18
> To: 'WiX Toolset Users Mailing List' <wix-users at lists.wixtoolset.org>
> Subject: RE: [wix-users] Workaround GDI+ security vulnerability
>
> I can confirm that it's the old installer that is throwing this error. 
> When it tries to uninstall the old version the burn exe crashes on 
> startup, just as it did in the original problem. It seems that this 
> problem wasn't fixed in all cases 
> (https://github.com/wixtoolset/wix3/pull/351)
>
> If anyone would find a repro useful I can share my two installer exes. 
> I only seems to happen on Win7 (I have a clean Win7 install on a VM).
>
> Stewart.
>
>
> -----Original Message-----
> From: Stewart Lynch [mailto:stewartlynch8 at gmail.com]
> Sent: 26 May 2016 17:25
> To: 'WiX Toolset Users Mailing List' <wix-users at lists.wixtoolset.org>
> Subject: RE: [wix-users] Workaround GDI+ security vulnerability
>
> Yes, that's the full log. After my custom burn app threw the exception 
> I cancelled it, which closed everything down. I've attached the two 
> log files that I see in my temp folder. I don't see any errors in my 
> Application event log.
>
> I guess it could be something that I'm doing in my custom app that is 
> causing this, I'll see if I can debug into it and see exactly where 
> its failing. I have a suspicion that it may be because I have a custom 
> action where I run another exe. It's just a bit suspicious that its 
> exactly the same exception as a known bug that was fixed recently.
>
> I just had another thought, could it be that its failing uninstalling 
> the old version, it works if I uninstall manually. I see that my two 
> log files have different burn version numbers. I updated to the very 
> latest version when I built the new installer.
>
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On 
> Behalf Of Sean Hall
> Sent: 26 May 2016 15:38
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] Workaround GDI+ security vulnerability
>
> Is that the complete Burn log?  That looks like the bundle crashed, is 
> there an error in the Application event log?
>
> There were a couple of bugs in 3.10.3.2917, can you try 3.10.3.2924?
> http://wixtoolset.org/releases/v3-10-3-2924/
>
> On Thu, May 26, 2016 at 7:28 AM, Stewart Lynch 
> <stewartlynch8 at gmail.com>
> wrote:
>
> > Hi,
> >
> >
> >
> > I've been having a problem with my custom burn exe throwing an 
> > exception when it tried to access .NET assemblies. This is the
exception:
> >
> > Font '?' cannot be found
> >
> > I think it failed to load the .NET system.drawing.dll while trying 
> > to create a font.
> >
> >
> >
> > The exe was throwing the exception as soon as it started. I 
> > eventually found that this was fixed in this change:
> >
> > https://github.com/wixtoolset/wix3/pull/351
> >
> > After updating to v3.10.3.2917 the exe would run and the 
> > installation completed.
> >
> >
> >
> > However, when I next changed the version number and try and to 
> > install an update I get the same exception after the msi has 
> > finished installing. The Burn log file is below. Looking at the msi 
> > log file it shows that it completed successfully, it was the burn 
> > exe that threw the exception after the mdi completed. I'm installing on
Win7.
> >
> >
> >
> > Is this a known problem?
> >
> >
> >
> > Many thanks,
> >
> >
> >
> > Stewart.
> >
> >
> >
> > ------------------------------
> >
> > Burn log file:
> >
> >
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i001: Burn v3.10.3.2917, Windows 
> > v6.1 (Build
> > 7601: Service Pack 1), path:
> >
> > C:\Users\STEWAR~1\AppData\Local\Temp\{18067DD0-80C1-4DF9-A27C-935986
> > BF
> > 5FB3}\
> > .cr\FramePro_x64_setup (1).exe
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i000: Initializing string variable 
> > 'InstallFolder' to value
'[ProgramFiles64Folder]PureDevSoftware\FramePro'
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i000: Initializing string variable 
> > 'CodeInstallFolder' to value 
> > '[ProgramFiles64Folder]PureDevSoftware\FramePro'
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i009: Command Line:
> > '"-burn.clean.room=C:\Users\Stewart Win7 
> > Clean\Downloads\FramePro_x64_setup
> > (1).exe"'
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i000: Setting string variable 
> > 'WixBundleOriginalSource' to value 'C:\Users\Stewart Win7 
> > Clean\Downloads\FramePro_x64_setup (1).exe'
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i000: Setting string variable 
> > 'WixBundleOriginalSourceFolder' to value 'C:\Users\Stewart Win7 
> > Clean\Downloads\'
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i000: Setting string variable 
> > 'WixBundleLog'
> > to value
> 'C:\Users\STEWAR~1\AppData\Local\Temp\FramePro_20160526130225.log'
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i000: Setting string variable 
> > 'WixBundleName' to value 'FramePro'
> >
> > [0FA0:0FA4][2016-05-26T13:02:25]i000: Setting string variable 
> > 'WixBundleManufacturer' to value 'PureDev Software'
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Loading managed bootstrapper 
> > application.
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Creating BA thread to run 
> > asynchronously.
> >
> > [0FA0:0CA4][2016-05-26T13:02:26]i000: Launching SCLInstaller
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i100: Detect begin, 3 packages
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i052: Condition
'InstallFolderTestSearch'
> > evaluates to false.
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Setting string variable 
> > 'Netfx4x64FullVersion' to value '4.6.01055'
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Setting numeric variable 
> > 'InstallFolderTestSearch' to value 1
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Setting string variable 
> > 'VCRedistInstalled' to value '1'
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Setting string variable 
> > 'Netfx4FullVersion' to value '4.6.01055'
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Setting numeric variable 
> > 'CodeInstallFolderTestSearch' to value 1
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i052: Condition 
> > 'CodeInstallFolderTestSearch' evaluates to true.
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i000: Setting string variable 
> > 'CodeInstallFolder' to value 'C:\Program
Files\PureDevSoftware\FramePro\'
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i102: Detected related bundle:
> > {c5a08f6f-1434-4d51-b2b3-d0c259eab4b3}, type: Upgrade, scope:
> > PerMachine,
> > version: 1.2.2.0, operation: MajorUpgrade
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i052: Condition 'VCRedistInstalled'
> > evaluates to true.
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i052: Condition 'Netfx4FullVersion 
> > AND (NOT
> > VersionNT64 OR Netfx4x64FullVersion)' evaluates to true.
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i103: Detected related package:
> > {E0101584-EB2E-467D-8F8F-85B72DEE77CE}, scope: PerMachine, version:
> > 1.2.2.0,
> > language: 0 operation: MajorUpgrade
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i101: Detected package: 
> > VS2015Runtime,
> > state: Present, cached: None
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i101: Detected package: Netfx4Full,
> state:
> > Present, cached: None
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i101: Detected package: FramePro, state:
> > Absent, cached: None
> >
> > [0FA0:0FA4][2016-05-26T13:02:26]i199: Detect complete, result: 0x0
> >
> > [0FA0:0CA4][2016-05-26T13:02:29]i000: Setting string variable 
> > 'InstallFolder' to value 'C:\Program Files\PureDevSoftware\FramePro'
> >
> > [0FA0:0CA4][2016-05-26T13:02:29]i000: Setting string variable 
> > 'CodeInstallFolder' to value 'C:\Program
Files\PureDevSoftware\FramePro\'
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i200: Plan begin, 3 packages, action:
> > Install
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]w321: Skipping dependency 
> > registration on package with no dependency providers: VS2015Runtime
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]w321: Skipping dependency 
> > registration on package with no dependency providers: Netfx4Full
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i000: Setting string variable 
> > 'WixBundleRollbackLog_FramePro' to value
> >
> > 'C:\Users\STEWAR~1\AppData\Local\Temp\FramePro_20160526130225_000_Fr
> > am
> > ePro_r
> > ollback.log'
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i000: Setting string variable 
> > 'WixBundleLog_FramePro' to value
> >
> > 'C:\Users\STEWAR~1\AppData\Local\Temp\FramePro_20160526130225_000_Fr
> > am
> > ePro.l
> > og'
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i201: Planned package: 
> > VS2015Runtime,
> > state:
> > Present, default requested: Present, ba requested: Present, execute:
> > None,
> > rollback: None, cache: No, uncache: No, dependency: None
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i201: Planned package: Netfx4Full,
state:
> > Present, default requested: Present, ba requested: Present, execute:
> > None,
> > rollback: None, cache: No, uncache: No, dependency: None
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i201: Planned package: FramePro, state:
> > Absent, default requested: Present, ba requested: Present, execute:
> > Install,
> > rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i207: Planned related bundle:
> > {c5a08f6f-1434-4d51-b2b3-d0c259eab4b3}, type: Upgrade, default
requested:
> > Absent, ba requested: Absent, execute: Uninstall, rollback: Install,
> > dependency: None
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i299: Plan complete, result: 0x0
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i300: Apply begin
> >
> > [0FA0:0FA4][2016-05-26T13:02:29]i010: Launching elevated engine process.
> >
> > [0FA0:0FA4][2016-05-26T13:02:32]i011: Launched elevated engine process.
> >
> > [0FA0:0FA4][2016-05-26T13:02:32]i012: Connected to elevated engine.
> >
> > [0C0C:0C10][2016-05-26T13:02:32]i358: Pausing automatic updates.
> >
> > [0C0C:0C10][2016-05-26T13:02:34]i359: Paused automatic updates.
> >
> > [0C0C:0C10][2016-05-26T13:02:34]i360: Creating a system restore point.
> >
> > [0C0C:0C10][2016-05-26T13:02:40]i361: Created a system restore point.
> >
> > [0C0C:0C10][2016-05-26T13:02:40]i370: Session begin, registration key:
> >
> > SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{02a49190-b153-4
> > 65 1-b5bb -2539855b0e5c}, options: 0x7, disable resume: No
> >
> > [0C0C:0C10][2016-05-26T13:02:40]i000: Caching bundle from:
> >
> > 'C:\Users\STEWAR~1\AppData\Local\Temp\{74E73143-1A17-445B-8A5C-8C89F
> > 74 AD707} \.be\FramePro_x64_setup.exe' to: 'C:\ProgramData\Package 
> > Cache\{02a49190-b153-4651-b5bb-2539855b0e5c}\FramePro_x64_setup.exe'
> >
> > [0C0C:0C10][2016-05-26T13:02:40]i320: Registering bundle dependency
> > provider: {02a49190-b153-4651-b5bb-2539855b0e5c}, version: 1.2.3.0
> >
> > [0C0C:0C10][2016-05-26T13:02:40]i371: Updating session, registration
key:
> >
> > SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{02a49190-b153-4
> > 65 1-b5bb -2539855b0e5c}, resume: Active, restart initiated: No, 
> > disable
> > resume: No
> >
> > [0FA0:0EE0][2016-05-26T13:02:40]i336: Acquiring container:
> > WixAttachedContainer, copy from: C:\Users\Stewart Win7 
> > Clean\Downloads\FramePro_x64_setup (1).exe
> >
> > [0FA0:0EE0][2016-05-26T13:02:40]i000: Setting string variable 
> > 'WixBundleLastUsedSource' to value 'C:\Users\Stewart Win7
> Clean\Downloads\'
> >
> > [0C0C:040C][2016-05-26T13:02:40]i305: Verified acquired payload:
> > FramePro at
> > path: C:\ProgramData\Package Cache\.unverified\FramePro, moving to:
> > C:\ProgramData\Package
> >
> > Cache\{DB44BBC8-BA64-41A9-BD90-F76DA22AB5E2}v1.2.3.0\FrameProInstall
> > er
> > 64.msi
> > .
> >
> > [0C0C:0C10][2016-05-26T13:02:40]i323: Registering package dependency
> > provider: {DB44BBC8-BA64-41A9-BD90-F76DA22AB5E2}, version: 1.2.3.0,
> > package:
> > FramePro
> >
> > [0C0C:0C10][2016-05-26T13:02:40]i301: Applying execute package:
> > FramePro,
> > action: Install, path: C:\ProgramData\Package
> >
> > Cache\{DB44BBC8-BA64-41A9-BD90-F76DA22AB5E2}v1.2.3.0\FrameProInstall
> > er 64.msi , arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7"
> > INSTALLLOCATION="C:\Program Files\PureDevSoftware\FramePro"
> > CODEINSTALLLOCATION="C:\Program Files\PureDevSoftware\FramePro\"'
> >
> > [0FA0:0FA4][2016-05-26T13:02:51]i319: Applied execute package:
> > FramePro,
> > result: 0x0, restart: None
> >
> > [0C0C:0C10][2016-05-26T13:02:51]i325: Registering dependency:
> > {02a49190-b153-4651-b5bb-2539855b0e5c} on package provider:
> > {DB44BBC8-BA64-41A9-BD90-F76DA22AB5E2}, package: FramePro
> >
> > [0C0C:0C10][2016-05-26T13:02:51]i301: Applying execute package:
> > {c5a08f6f-1434-4d51-b2b3-d0c259eab4b3}, action: Uninstall, path:
> > C:\ProgramData\Package
> > Cache\{c5a08f6f-1434-4d51-b2b3-d0c259eab4b3}\FramePro_x64_setup.exe,
> > arguments: '-burn.filehandle.self=536 "C:\ProgramData\Package 
> > Cache\{c5a08f6f-1434-4d51-b2b3-d0c259eab4b3}\FramePro_x64_setup.exe"
> > -uninstall -quiet -burn.related.upgrade 
> > -burn.ancestors={02a49190-b153-4651-b5bb-2539855b0e5c}'
> >
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant 
> > http://www.firegiant.com/
> >
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>
>
>
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> http://www.firegiant.com/
>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
http://www.firegiant.com/

More information about the wix-users mailing list