If these paths are unquoted, and the path contains spaces (C:\Program Files (x86)\...), this could be exploited by putting a binary with a crafted name (C:\Program.exe), leading to priviledge escalation as this is a service that is being started. https://www.commonexploits.com/unquoted-service-paths/ Bug reported by Chris Moberly --- win-guest-tools.nsis | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/win-guest-tools.nsis b/win-guest-tools.nsis index c23bf1d..908bf07 100644 --- a/win-guest-tools.nsis +++ b/win-guest-tools.nsis @@ -114,7 +114,7 @@ Section "install" CreateDirectory "$INSTDIR\hooks\after_migration" CreateDirectory "$INSTDIR\hooks\before_migration" - ExecWait "$INSTDIR\vcredist_x86.exe /q" + ExecWait '"$INSTDIR\vcredist_x86.exe /q"' !endif SetOutPath "$INSTDIR\32" @@ -326,7 +326,7 @@ Function InstallDriver Pop $0 StrCpy $1 $R1 Push $1 - StrCpy $2 "$INSTDIR\drivers\$0" + StrCpy $2 '"$INSTDIR\drivers\$0"' Push $2 StrCpy $3 "$2\$R1.inf" Push $3 @@ -416,7 +416,7 @@ Function InstallService ${endif} DetailPrint "Installing $R2 service" - SimpleSC::InstallService $R0 $R2 16 2 $R1 "" "" "" + SimpleSC::InstallService $R0 $R2 16 2 '"$R1"' "" "" "" Pop $0 ${if} $0 != 0 DetailPrint "Failed to install $R2 service: $0" -- 2.13.6 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel