We have recently released InstallBuilder 19.11.0. With this update it's now possible to use –setvars with the autoupdate builder. This allows you to set different autoupdate project settings and variables from the command line variables in the command line. For example:
./autoupdate/bin/customize.run build autoupdate-project.xml linux-x64 –setvars autoupdate.installerFilename=sample.run
Here is the complete list of improvements:
UPDATE:
We have created a CVE entry (CVE-2020-3946) for the "AutoUpdate handling of malformed update.xml files" issue fixed in InstallBuilder 19.11.0, which could be exploited to crash the AutoUpdate process:
Denial Of Service attack when checking for Updates
InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service).
Background
When checking for updates, the configured remote server is contacted to retrieve an XML containing information about the existing installer versions. This XML is then loaded in memory in the user machine. An attacker can forge a special XML exploiting entity expansion that will result in the AutoUpdate consuming system memory until it crashes.
Exploiting this vulnerability requires an attacker to either place the malicious XML in the updates remote server (or to impersonate it via DNS spoofing) or by modifying the updates URL in the user machine updates.ini file.
Remediation
Affected InstallBuilder customers using the <checkForUpdates> functionality or distributing the AutoUpdate should update to version 19.11.0 or later and release new versions.
Our engineers have evaluated this issue to have CVSSv3 score of 5.4
We would like to thank Tesla Red Team for reporting this issue to us.