2019/12/03

Configure autoupdate project settings from the command line


We have recently released InstallBuilder 19.11.0. With this update it's now possible to use --setvars with the autoupdate builder. This allows you to set different autoupdate project settings and variables from the command line variables in the command line. For example:

./autoupdate/bin/customize.run build autoupdate-project.xml linux-x64 --setvars autoupdate.installerFilename=sample.run

Here is the complete list of improvements:


  • Updated HTTP/HTTPS internal dependencies
  • Improved AutoUpdate handling of malformed update.xml files [CVE-2020-3946]
  • Support --setvars command-line option when building the AutoUpdate
  • Support customizing license file location when building the AutoUpdate
  • Improved images rendering on macOS Builder
  • Improved Windows installers exit handling
  • Added .NET 4.8 autodetection
  • Updated documentation
  • Fixed <enableSsl> not honored on Windows at uninstallation time when using signed uninstallers
  • Fixed startmenu shortcuts not being created on windows-x64 installers
  • Fixed HTTP actions not honoring customized Accept header
  • Fixed false signing failure detection when building on macOS Catalina

UPDATE:

We have created a CVE entry (CVE-2020-3946) for the "AutoUpdate handling of malformed update.xml files" issue fixed in InstallBuilder 19.11.0, which could be exploited to crash the AutoUpdate process:


Denial Of Service attack when checking for Updates
InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service).
Background
When checking for updates, the configured remote server is contacted to retrieve an XML containing information about the existing installer versions. This XML is then loaded in memory in the user machine. An attacker can forge a special XML exploiting entity expansion that will result in the AutoUpdate consuming system memory until it crashes.
Exploiting this vulnerability requires an attacker to either place the malicious XML in the updates remote server (or to impersonate it via DNS spoofing) or by modifying the updates URL in the user machine updates.ini file.
Remediation
Affected InstallBuilder customers using the <checkForUpdates> functionality or distributing the AutoUpdate should update to version 19.11.0 or later and release new versions.

Our engineers have evaluated this issue to have CVSSv3 score of 5.4

We would like to thank Tesla Read Team for reporting this issue to us.