Source: nsis
X-Debbugs-CC:
team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for nsis.
Does also affect nsis as packaged in Debian, probably yes since it's
meant to provide installers which will then run on Windows?
CVE-2025-43715[0]:
| Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows
| allows local users to escalate privileges to SYSTEM during an
| installation, because the temporary plugins directory is created
| under %WINDIR%\temp and unprivileged users can place a crafted
| executable file by winning a race condition. This occurs because
| EW_CREATEDIR does not always set the CreateRestrictedDirectory error
| flag.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-43715
https://www.cve.org/CVERecord?id=CVE-2025-43715
Please adjust the affected versions in the BTS as needed.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)