[Users] Windows Installer, rebuild necessary because of NSIS improvement?

Andrej Kacian andrej at kacian.sk
Fri Dec 4 12:46:55 CET 2015

On Fri, 4 Dec 2015 09:52:23 +0100
Bernhard Reiter <bernhard at intevation.de> wrote:

> Hi Paul, Andrej,
> sending this email to you, because you were in contact
> with us about Claws and Gpg4win this year before.
> You have probably seen our security advisory about a weakness in the installer
> we are using:  https://www.gpg4win.de/news-20151125.html
> Because your installer for Windows is based on ours 
> I guess you should consider the info in the advisory
> and do a rebuild with the patches if you have not done so.
> Note that we will also change our install instructions to advise users 
> to use a fresh directory or a full Administrator account to install Gpg4win
> to avoid these problems on a more principal level.

Hello Bernhard,

thanks for thinking about us. :)

yes, I have noticed the advisory, but did not yet have the time to look
into it in detail. I actually planned to do it this weekend. So far, I
have the impression that we will need to:

1. Use an updated NSIS to build our next win32 release. The packages
in Intevation's apt repository seem to work fine on Debian Stretch.

2. Strongly suggest to our users that they should be careful about
the directory they run the installer from.

Is there anything else? I am not well-versed in how Windows handles
DLLs, and some of the discussion on NSIS bug tracker went right over my

I also was wondering whether #2 could not be mitigated using a check at
the beginning of the installer, which could check if there are any *.dll
files in starting directory. Or does the preloading happen even before
any user code gets to run?

> ps.: Do you have reports about Claws working fine with our latest Gpg4win 
> 2.3.0? Would be interesting for us. :)
> pps.: I'm sending a copy to your users list, though I am not subscribed, I 
> briefly checked our tracker and the list for signs of this already being 
> mentioned before my email.

I haven't seen any, which could very well mean that it works fine. :) I
myself have only tried it with Gpg4win 2.2.6 so far.

Kind regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20151204/24d7bcb0/attachment.sig>

More information about the Users mailing list