1
1
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2024-08-14 23:57:05 +00:00
Commit graph

18 commits

Author SHA1 Message Date
Pete Batard
79a03637d6 update ChangeLog for BETA release 2017-11-01 13:22:51 +00:00
Pete Batard
293440b2e9 [pki] fix a minor initialization issue 2017-10-13 10:47:26 +01:00
Pete Batard
13ba3e75b3 [misc] fix VS2017 code analysis warnings
* Also set rufus-next to 2.18
2017-09-14 19:06:04 +01:00
Pete Batard
e3fbfb30d3 [pki] add country code validation on signature check
* Also validate against the CN rather than the simple name, and require an exact match
2017-09-11 12:13:47 +01:00
Pete Batard
c22b378f9a [misc] display image and disk size in the log
* Also fix 2 Coverity warnings
* Also remove unneeded LFs in drive.c
2017-09-08 15:38:30 +01:00
Pete Batard
9464ae94a4 [pki] more ASN.1 parser improvements 2017-09-05 22:21:34 +01:00
Pete Batard
94e4c0905b [pki] improve ASN.1 parser
* Enable search from OIDs expressed as strings and ignore non UNIVERSAL classes
2017-09-04 14:32:56 +01:00
Pete Batard
a73e695ba4 [pki] timestamp validation improvements
* Add timestamp processing for nested signature and check for anomalous differences
* Also prevent attack scenarios that may attempt to leverage multiple nested signatures or countersigners
* Simplify code by using CryptDecodeObjectEx/WinVerifyTrustEx and improve timestamp reporting
2017-09-03 13:54:07 +01:00
Pete Batard
35da381a11 [pki] check timestamp chronology during update validation
* Done to address the second "vulnerability" proposed in #1009, independently
  of the protocol used.
2017-09-02 15:27:56 +01:00
Pete Batard
c3c39f7f8a [pki] fix https://www.kb.cert.org/vuls/id/403768
* This commit effectively fixes https://www.kb.cert.org/vuls/id/403768 (CVE-2017-13083) as
  it is described per its revision 11, which is the latest revision at the time of this commit,
  by disabling Windows prompts, enacted during signature validation, that allow the user to
  bypass the intended signature verification checks.
* It needs to be pointed out that the vulnerability ("allow(ing) the use of a self-signed
  certificate"), which relies on the end-user actively ignoring a Windows prompt that tells
  them that the update failed the signature validation whilst also advising against running it,
  is being fully addressed, even as the update protocol remains HTTP.
* It also need to be pointed out that the extended delay (48 hours) between the time the
  vulnerability was reported and the moment it is fixed in our codebase has to do with
  the fact that the reporter chose to deviate from standard security practices by not
  disclosing the details of the vulnerability with us, be it publicly or privately,
  before creating the cert.org report. The only advance notification we received was a
  generic note about the use of HTTP vs HTTPS, which, as have established, is not
  immediately relevant to addressing the reported vulnerability.
* Closes #1009
* Note: The other vulnerability scenario described towards the end of #1009, which
  doesn't have to do with the "lack of CA checking", will be addressed separately.
2017-08-31 12:19:11 +01:00
Pete Batard
36cadcfcca [pki] improve error handling
* FormatMessage() does not handle PKI errors
* Also fix an issue with non-official version detection when the language is not English
2017-08-27 15:07:35 +01:00
Pete Batard
54ee68f6fc [pki] have GetSignatureName() use the current binary on NULL parameter 2017-06-15 17:25:13 +01:00
Pete Batard
e2481efcd9 [pki] application security improvements
* Also clean up registry variables and add IsRegistryNode() call
2017-04-12 20:40:43 +01:00
Pete Batard
c3f47ada06 [misc] add missing.h header
* Also clean up code
2016-02-20 22:52:32 +00:00
Pete Batard
e1f8b276c8 [loc] fix various RTL issues
* MSG_002 doesn't display in RTL
* Update Policy dialog loses RTL setting after the first paragraph
* Some text displayed in native Windows message boxes is not using RTL
 (even as the Message Box itself will display the rest of the UI elements as RTL)
* Detect if the relevant language pack is installed and use MessageBoxEx to
  display native message box buttons using the selected language.
* All theses issues are part of #621
* Also remove trailing whitespaces
2015-10-18 21:37:58 +01:00
Pete Batard
a228919263 [loc] update base translation to v1.0.19
* Also update French translation to latest
* Also improve signature check for downloaded updates
2015-10-15 23:51:06 +01:00
Pete Batard
7b3b96cd9e [pki] add signature check on update downloads - part 2
* Closes #158
2015-10-13 23:29:30 +01:00
Pete Batard
cd911ad738 [pki] add signature check on update downloads - part 1
* This is part of enhancement #158
2015-10-12 22:03:41 +01:00