If these paths are unquoted, and the path contains spaces (C:\Program Files (x86)\...), this could be exploited by putting a binary with a crafted name (C:\Program.exe), leading to privilege escalation as this is a service that is being started. https://www.commonexploits.com/unquoted-service-paths/ Bug reported by Chris Moberly --- Changes since v2: Fixed vcredist_x86.exe quoting, removed unneeded quoting win-guest-tools.nsis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/win-guest-tools.nsis b/win-guest-tools.nsis index c54608a..19d45a3 100644 --- a/win-guest-tools.nsis +++ b/win-guest-tools.nsis @@ -114,7 +114,7 @@ Section "install" CreateDirectory "$INSTDIR\hooks\after_migration" CreateDirectory "$INSTDIR\hooks\before_migration" - ExecWait "$INSTDIR\vcredist_x86.exe /q" + ExecWait '"$INSTDIR\vcredist_x86.exe" /q' !endif SetOutPath "$INSTDIR\32" @@ -414,7 +414,7 @@ Function InstallService ${endif} DetailPrint "Installing $R2 service" - SimpleSC::InstallService $R0 $R2 16 2 $R1 "" "" "" + SimpleSC::InstallService $R0 $R2 16 2 '"$R1"' "" "" "" Pop $0 ${if} $0 != 0 DetailPrint "Failed to install $R2 service: $0" -- 2.14.3 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel