This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory

On 01/06/2016 07:17 AM, Stefan Kanthak wrote:
> Second and last chance!
> See <>

Your policy page mentions a 45-day window, but:

> ----- Original Message ----- 
> From: "Stefan Kanthak" <>
> To: <>
> Cc: <>
> Sent: Monday, December 28, 2015 4:23 AM

If this was your original off-list post, you just violated your own
policy, since you included cygwin AT which is a public list
on the ping, and thereby made the issue public, without waiting 45 days.

>> 1. visit <>, download
>>   <> and save
>>   it as UXTheme.dll in your "Downloads" directory;
>> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;

You do realize that Windows XP is unsupported by Microsoft; if your
exploit requires an unsupported OS, does it really deserve a fix?

>> I'll publish in 45 days.
>> See <> and return the
>> CVE identifier assigned for this vulnerability to me!

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library

Attachment: signature.asc
Description: OpenPGP digital signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]