VYPR
Get started
← All advisories
High severity7.3NVD Advisory· Published Mar 24, 2024· Updated Apr 15, 2026

CVE-2024-29187

CVE-2024-29187

Description

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wixNuGet
< 3.14.13.14.1
wixNuGet
>= 4.0.0, < 4.0.54.0.5
WixToolset.SdkNuGet
< 4.0.54.0.5

Patches

2
75a8c75d4e02

Protect elevated working folder from malicious data

https://github.com/wixtoolset/wixRob MenschingMar 21, 2024via ghsa
commit
7 files changed · +49 37
  • src/burn/engine/cache.cpp+31 4 modified
    @@ -107,6 +107,7 @@ static HRESULT SecurePath(
     __in LPCWSTR wzPath
     );
 static HRESULT CopyEngineToWorkingFolder(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __in_z LPCWSTR wzSourcePath,
     __in_z LPCWSTR wzWorkingFolderName,
@@ -342,6 +343,7 @@ extern "C" HRESULT CacheEnsureAcquisitionFolder(
 }
 
 extern "C" HRESULT CacheEnsureBaseWorkingFolder(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __deref_out_z_opt LPWSTR* psczBaseWorkingFolder
     )
@@ -350,15 +352,32 @@ extern "C" HRESULT CacheEnsureBaseWorkingFolder(
 
     HRESULT hr = S_OK;
     LPWSTR sczPotential = NULL;
+    PSECURITY_DESCRIPTOR psd = NULL;
+    LPSECURITY_ATTRIBUTES pWorkingFolderAcl = NULL;
 
     if (!pCache->fInitializedBaseWorkingFolder)
     {
+        // If elevated, allocate the pWorkingFolderAcl to protect the working folder to only SYSTEM and Admins.
+        if (fElevated)
+        {
+            LPCWSTR wzSddl = L"D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)";
+            if (!::ConvertStringSecurityDescriptorToSecurityDescriptorW(wzSddl, SDDL_REVISION_1, &psd, NULL))
+            {
+                ExitWithLastError(hr, "Failed to create the security descriptor for the working folder.");
+            }
+
+            pWorkingFolderAcl = reinterpret_cast<LPSECURITY_ATTRIBUTES>(MemAlloc(sizeof(SECURITY_ATTRIBUTES), TRUE));
+            pWorkingFolderAcl->nLength = sizeof(SECURITY_ATTRIBUTES);
+            pWorkingFolderAcl->lpSecurityDescriptor = psd;
+            pWorkingFolderAcl->bInheritHandle = FALSE;
+        }
+
         for (DWORD i = 0; i < pCache->cPotentialBaseWorkingFolders; ++i)
         {
             hr = PathConcatRelativeToFullyQualifiedBase(pCache->rgsczPotentialBaseWorkingFolders[i], pCache->wzGuid, &sczPotential);
             if (SUCCEEDED(hr))
             {
-                hr = DirEnsureExists(sczPotential, NULL);
+                hr = DirEnsureExists(sczPotential, pWorkingFolderAcl);
                 if (SUCCEEDED(hr))
                 {
                     pCache->sczBaseWorkingFolder = sczPotential;
@@ -385,6 +404,11 @@ extern "C" HRESULT CacheEnsureBaseWorkingFolder(
     }
 
 LExit:
+    ReleaseMem(pWorkingFolderAcl);
+    if (psd)
+    {
+        ::LocalFree(psd);
+    }
     ReleaseStr(sczPotential);
 
     return hr;
@@ -900,6 +924,7 @@ extern "C" HRESULT CachePreparePackage(
 }
 
 extern "C" HRESULT CacheBundleToCleanRoom(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __in BURN_SECTION* pSection,
     __deref_out_z_opt LPWSTR* psczCleanRoomBundlePath
@@ -914,7 +939,7 @@ extern "C" HRESULT CacheBundleToCleanRoom(
 
     wzExecutableName = PathFile(sczSourcePath);
 
-    hr = CopyEngineToWorkingFolder(pCache, sczSourcePath, BUNDLE_CLEAN_ROOM_WORKING_FOLDER_NAME, wzExecutableName, pSection, psczCleanRoomBundlePath);
+    hr = CopyEngineToWorkingFolder(fElevated, pCache, sczSourcePath, BUNDLE_CLEAN_ROOM_WORKING_FOLDER_NAME, wzExecutableName, pSection, psczCleanRoomBundlePath);
     ExitOnFailure(hr, "Failed to cache bundle to clean room.");
 
 LExit:
@@ -924,6 +949,7 @@ extern "C" HRESULT CacheBundleToCleanRoom(
 }
 
 extern "C" HRESULT CacheBundleToWorkingDirectory(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __in_z LPCWSTR wzExecutableName,
     __in BURN_SECTION* pSection,
@@ -948,7 +974,7 @@ extern "C" HRESULT CacheBundleToWorkingDirectory(
     }
     else // otherwise, carry on putting the bundle in the working folder.
     {
-        hr = CopyEngineToWorkingFolder(pCache, sczSourcePath, BUNDLE_WORKING_FOLDER_NAME, wzExecutableName, pSection, psczEngineWorkingPath);
+        hr = CopyEngineToWorkingFolder(fElevated, pCache, sczSourcePath, BUNDLE_WORKING_FOLDER_NAME, wzExecutableName, pSection, psczEngineWorkingPath);
         ExitOnFailure(hr, "Failed to copy engine to working folder.");
     }
 
@@ -2099,6 +2125,7 @@ static HRESULT SecurePath(
 
 
 static HRESULT CopyEngineToWorkingFolder(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __in_z LPCWSTR wzSourcePath,
     __in_z LPCWSTR wzWorkingFolderName,
@@ -2115,7 +2142,7 @@ static HRESULT CopyEngineToWorkingFolder(
     LPWSTR sczPayloadSourcePath = NULL;
     LPWSTR sczPayloadTargetPath = NULL;
 
-    hr = CacheEnsureBaseWorkingFolder(pCache, &sczWorkingFolder);
+    hr = CacheEnsureBaseWorkingFolder(fElevated, pCache, &sczWorkingFolder);
     ExitOnFailure(hr, "Failed to create working path to copy engine.");
 
     hr = PathConcatRelativeToFullyQualifiedBase(sczWorkingFolder, wzWorkingFolderName, &sczTargetDirectory);
  • src/burn/engine/cache.h+3 0 modified
    @@ -97,6 +97,7 @@ HRESULT CacheEnsureAcquisitionFolder(
     __in BURN_CACHE* pCache
     );
 HRESULT CacheEnsureBaseWorkingFolder(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __deref_out_z_opt LPWSTR* psczBaseWorkingFolder
     );
@@ -172,11 +173,13 @@ HRESULT CachePreparePackage(
     __in BURN_PACKAGE* pPackage
     );
 HRESULT CacheBundleToCleanRoom(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __in BURN_SECTION* pSection,
     __deref_out_z_opt LPWSTR* psczCleanRoomBundlePath
     );
 HRESULT CacheBundleToWorkingDirectory(
+    __in BOOL fElvated,
     __in BURN_CACHE* pCache,
     __in_z LPCWSTR wzExecutableName,
     __in BURN_SECTION* pSection,
  • src/burn/engine/core.cpp+5 5 modified
    @@ -182,7 +182,7 @@ extern "C" HRESULT CoreInitialize(
     if (BURN_MODE_NORMAL == pEngineState->internalCommand.mode || BURN_MODE_EMBEDDED == pEngineState->internalCommand.mode)
     {
         // Extract all UX payloads to working folder.
-        hr = UserExperienceEnsureWorkingFolder(&pEngineState->cache, &pEngineState->userExperience.sczTempDirectory);
+        hr = UserExperienceEnsureWorkingFolder(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, &pEngineState->userExperience.sczTempDirectory);
         ExitOnFailure(hr, "Failed to get unique temporary folder for bootstrapper application.");
 
         hr = PayloadExtractUXContainer(&pEngineState->userExperience.payloads, &containerContext, pEngineState->userExperience.sczTempDirectory);
@@ -227,7 +227,7 @@ extern "C" HRESULT CoreInitializeConstants(
         hr = StrAllocString(&pRegistration->sczBundlePackageAncestors, pRegistration->sczId, 0);
         ExitOnFailure(hr, "Failed to copy self to bundle package ancestors.");
     }
-    
+
     for (DWORD i = 0; i < pEngineState->packages.cPackages; ++i)
     {
         BURN_PACKAGE* pPackage = pEngineState->packages.rgPackages + i;
@@ -605,7 +605,7 @@ extern "C" HRESULT CoreElevate(
         // If the elevated companion pipe isn't created yet, let's make that happen.
         if (!pEngineState->sczBundleEngineWorkingPath)
         {
-            hr = CacheBundleToWorkingDirectory(&pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
+            hr = CacheBundleToWorkingDirectory(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
             ExitOnFailure(hr, "Failed to cache engine to working directory.");
         }
 
@@ -714,7 +714,7 @@ extern "C" HRESULT CoreApply(
     // Ensure the engine is cached to the working path.
     if (!pEngineState->sczBundleEngineWorkingPath)
     {
-        hr = CacheBundleToWorkingDirectory(&pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
+        hr = CacheBundleToWorkingDirectory(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, pEngineState->registration.sczExecutableName, &pEngineState->section, &pEngineState->sczBundleEngineWorkingPath);
         ExitOnFailure(hr, "Failed to cache engine to working directory.");
     }
 
@@ -2285,7 +2285,7 @@ static HRESULT DetectPackage(
 {
     HRESULT hr = S_OK;
     BOOL fBegan = FALSE;
-    
+
     fBegan = TRUE;
     hr = UserExperienceOnDetectPackageBegin(&pEngineState->userExperience, pPackage->sczId);
     ExitOnRootFailure(hr, "BA aborted detect package begin.");
  • src/burn/engine/engine.cpp+1 1 modified
    @@ -525,7 +525,7 @@ static HRESULT RunUntrusted(
     }
     else
     {
-        hr = CacheBundleToCleanRoom(&pEngineState->cache, &pEngineState->section, &sczCachedCleanRoomBundlePath);
+        hr = CacheBundleToCleanRoom(pEngineState->internalCommand.fInitiallyElevated, &pEngineState->cache, &pEngineState->section, &sczCachedCleanRoomBundlePath);
         ExitOnFailure(hr, "Failed to cache to clean room.");
 
         wzCleanRoomBundlePath = sczCachedCleanRoomBundlePath;
  • src/burn/engine/userexperience.cpp+2 1 modified
    @@ -169,14 +169,15 @@ extern "C" HRESULT UserExperienceUnload(
 }
 
 extern "C" HRESULT UserExperienceEnsureWorkingFolder(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __deref_out_z LPWSTR* psczUserExperienceWorkingFolder
     )
 {
     HRESULT hr = S_OK;
     LPWSTR sczWorkingFolder = NULL;
 
-    hr = CacheEnsureBaseWorkingFolder(pCache, &sczWorkingFolder);
+    hr = CacheEnsureBaseWorkingFolder(fElevated, pCache, &sczWorkingFolder);
     ExitOnFailure(hr, "Failed to create working folder.");
 
     hr = StrAllocFormatted(psczUserExperienceWorkingFolder, L"%ls%ls\\", sczWorkingFolder, L".ba");
  • src/burn/engine/userexperience.h+1 0 modified
    @@ -64,6 +64,7 @@ HRESULT UserExperienceUnload(
     __in BOOL fReload
     );
 HRESULT UserExperienceEnsureWorkingFolder(
+    __in BOOL fElevated,
     __in BURN_CACHE* pCache,
     __deref_out_z LPWSTR* psczUserExperienceWorkingFolder
     );
  • src/dtf/SfxCA/SfxUtil.cpp+6 26 modified
    @@ -164,38 +164,18 @@ bool ExtractToTempDirectory(__in MSIHANDLE hSession, __in HMODULE hModule,
         StringCchCopy(szTempDir, cchTempDirBuf, szModule);
         StringCchCat(szTempDir, cchTempDirBuf, L"-");
 
+        BOOL fCreatedDirectory = FALSE;
         DWORD cchTempDir = (DWORD) wcslen(szTempDir);
-        for (int i = 0; DirectoryExists(szTempDir); i++)
+        for (int i = 0; i < 10000 && !fCreatedDirectory; i++)
         {
                 swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
+                fCreatedDirectory = ::CreateDirectory(szTempDir, NULL);
         }
 
-        if (!CreateDirectory(szTempDir, NULL))
+        if (!fCreatedDirectory)
         {
-                cchCopied = GetTempPath(cchTempDirBuf, szTempDir);
-                if (cchCopied == 0 || cchCopied >= cchTempDirBuf)
-                {
-                        Log(hSession, L"Failed to get temp directory. Error code %d", GetLastError());
-                        return false;
-                }
-
-                wchar_t* szModuleName = wcsrchr(szModule, L'\\');
-                if (szModuleName == NULL) szModuleName = szModule;
-                else szModuleName = szModuleName + 1;
-                StringCchCat(szTempDir, cchTempDirBuf, szModuleName);
-                StringCchCat(szTempDir, cchTempDirBuf, L"-");
-
-                cchTempDir = (DWORD) wcslen(szTempDir);
-                for (int i = 0; DirectoryExists(szTempDir); i++)
-                {
-                        swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
-                }
-
-                if (!CreateDirectory(szTempDir, NULL))
-                {
-                        Log(hSession, L"Failed to create temp directory. Error code %d", GetLastError());
-                        return false;
-                }
+                Log(hSession, L"Failed to create temp directory. Error code %d", ::GetLastError());
+                return false;
         }
 
         Log(hSession, L"Extracting custom action to temporary directory: %s\\", szTempDir);
6d372e5169f1

Protect elevated working folder from malicious data

https://github.com/wixtoolset/wix3Rob MenschingMar 12, 2024via ghsa
commit
2 files changed · +49 36
  • src/burn/engine/cache.cpp+43 10 modified
    @@ -13,13 +13,15 @@ static BOOL vfInitializedCache = FALSE;
 static BOOL vfRunningFromCache = FALSE;
 static LPWSTR vsczSourceProcessPath = NULL;
 static LPWSTR vsczWorkingFolder = NULL;
+static BOOL vfWorkingFolderElevated = FALSE;
 static LPWSTR vsczDefaultUserPackageCache = NULL;
 static LPWSTR vsczDefaultMachinePackageCache = NULL;
 static LPWSTR vsczCurrentMachinePackageCache = NULL;
 
 static HRESULT CalculateWorkingFolder(
     __in_z LPCWSTR wzBundleId,
-    __deref_out_z LPWSTR* psczWorkingFolder
+    __deref_out_z LPWSTR* psczWorkingFolder,
+    __out_opt BOOL* pfWorkingFolderElevated
     );
 static HRESULT GetLastUsedSourceFolder(
     __in BURN_VARIABLES* pVariables,
@@ -195,11 +197,29 @@ extern "C" HRESULT CacheEnsureWorkingFolder(
 {
     HRESULT hr = S_OK;
     LPWSTR sczWorkingFolder = NULL;
+    BOOL fElevatedWorkingFolder = FALSE;
+    PSECURITY_DESCRIPTOR psd = NULL;
+    LPSECURITY_ATTRIBUTES pWorkingFolderAcl = NULL;
 
-    hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder);
+    hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder, &fElevatedWorkingFolder);
     ExitOnFailure(hr, "Failed to calculate working folder to ensure it exists.");
 
-    hr = DirEnsureExists(sczWorkingFolder, NULL);
+    // If elevated, allocate the pWorkingFolderAcl to protect the working folder to only Admins and SYSTEM.
+    if (fElevatedWorkingFolder)
+    {
+        LPCWSTR wzSddl = L"D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)";
+        if (!::ConvertStringSecurityDescriptorToSecurityDescriptorW(wzSddl, SDDL_REVISION_1, &psd, NULL))
+        {
+            ExitWithLastError(hr, "Failed to create the security descriptor for the working folder.");
+        }
+
+        pWorkingFolderAcl = reinterpret_cast<LPSECURITY_ATTRIBUTES>(MemAlloc(sizeof(SECURITY_ATTRIBUTES), TRUE));
+        pWorkingFolderAcl->nLength = sizeof(SECURITY_ATTRIBUTES);
+        pWorkingFolderAcl->lpSecurityDescriptor = psd;
+        pWorkingFolderAcl->bInheritHandle = FALSE;
+    }
+
+    hr = DirEnsureExists(sczWorkingFolder, pWorkingFolderAcl);
     ExitOnFailure(hr, "Failed create working folder.");
 
     // Best effort to ensure our working folder is not encrypted.
@@ -212,6 +232,11 @@ extern "C" HRESULT CacheEnsureWorkingFolder(
     }
 
 LExit:
+    ReleaseMem(pWorkingFolderAcl);
+    if (psd)
+    {
+        ::LocalFree(psd);
+    }
     ReleaseStr(sczWorkingFolder);
 
     return hr;
@@ -237,7 +262,7 @@ extern "C" HRESULT CacheCalculateBundleWorkingPath(
     }
     else // Otherwise, use the real working folder.
     {
-        hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder);
+        hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder, NULL);
         ExitOnFailure(hr, "Failed to get working folder for bundle.");
 
         hr = StrAllocFormatted(psczWorkingPath, L"%ls%ls\\%ls", sczWorkingFolder, BUNDLE_WORKING_FOLDER_NAME, wzExecutableName);
@@ -258,7 +283,7 @@ extern "C" HRESULT CacheCalculateBundleLayoutWorkingPath(
     HRESULT hr = S_OK;
     LPWSTR sczWorkingFolder = NULL;
 
-    hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath);
+    hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath, NULL);
     ExitOnFailure(hr, "Failed to get working folder for bundle layout.");
 
     hr = StrAllocConcat(psczWorkingPath, wzBundleId, 0);
@@ -278,7 +303,7 @@ extern "C" HRESULT CacheCalculatePayloadWorkingPath(
 {
     HRESULT hr = S_OK;
 
-    hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath);
+    hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath, NULL);
     ExitOnFailure(hr, "Failed to get working folder for payload.");
 
     hr = StrAllocConcat(psczWorkingPath, pPayload->sczKey, 0);
@@ -296,7 +321,7 @@ extern "C" HRESULT CacheCalculateContainerWorkingPath(
 {
     HRESULT hr = S_OK;
 
-    hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath);
+    hr = CalculateWorkingFolder(wzBundleId, psczWorkingPath, NULL);
     ExitOnFailure(hr, "Failed to get working folder for container.");
 
     hr = StrAllocConcat(psczWorkingPath, pContainer->sczHash, 0);
@@ -921,7 +946,7 @@ extern "C" HRESULT CacheRemoveWorkingFolder(
 
     if (vfInitializedCache)
     {
-        hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder);
+        hr = CalculateWorkingFolder(wzBundleId, &sczWorkingFolder, NULL);
         ExitOnFailure(hr, "Failed to calculate the working folder to remove it.");
 
         // Try to clean out everything in the working folder.
@@ -1035,7 +1060,7 @@ extern "C" void CacheCleanup(
 
     if (!fPerMachine)
     {
-        hr = CalculateWorkingFolder(wzBundleId, &sczFolder);
+        hr = CalculateWorkingFolder(wzBundleId, &sczFolder, NULL);
         if (SUCCEEDED(hr))
         {
             hr = PathConcat(sczFolder, L"*.*", &sczFiles);
@@ -1099,7 +1124,8 @@ extern "C" void CacheUninitialize()
 
 static HRESULT CalculateWorkingFolder(
     __in_z LPCWSTR /*wzBundleId*/,
-    __deref_out_z LPWSTR* psczWorkingFolder
+    __deref_out_z LPWSTR* psczWorkingFolder,
+    __out_opt BOOL* pfWorkingFolderElevated
     )
 {
     HRESULT hr = S_OK;
@@ -1143,11 +1169,18 @@ static HRESULT CalculateWorkingFolder(
 
         hr = StrAllocFormatted(&vsczWorkingFolder, L"%ls%ls\\", wzTempPath, wzGuid);
         ExitOnFailure(hr, "Failed to append bundle id on to temp path for working folder.");
+
+        vfWorkingFolderElevated = fElevated;
     }
 
     hr = StrAllocString(psczWorkingFolder, vsczWorkingFolder, 0);
     ExitOnFailure(hr, "Failed to copy working folder path.");
 
+    if (pfWorkingFolderElevated)
+    {
+        *pfWorkingFolderElevated = vfWorkingFolderElevated;
+    }
+
 LExit:
     return hr;
 }
  • src/DTF/Tools/SfxCA/SfxUtil.cpp+6 26 modified
    @@ -164,38 +164,18 @@ bool ExtractToTempDirectory(__in MSIHANDLE hSession, __in HMODULE hModule,
         StringCchCopy(szTempDir, cchTempDirBuf, szModule);
         StringCchCat(szTempDir, cchTempDirBuf, L"-");
 
+        BOOL fCreatedDirectory = FALSE;
         DWORD cchTempDir = (DWORD) wcslen(szTempDir);
-        for (int i = 0; DirectoryExists(szTempDir); i++)
+        for (int i = 0; i < 10000 && !fCreatedDirectory; i++)
         {
                 swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
+                fCreatedDirectory = ::CreateDirectory(szTempDir, NULL);
         }
 
-        if (!CreateDirectory(szTempDir, NULL))
+        if (!fCreatedDirectory)
         {
-                cchCopied = GetTempPath(cchTempDirBuf, szTempDir);
-                if (cchCopied == 0 || cchCopied >= cchTempDirBuf)
-                {
-                        Log(hSession, L"Failed to get temp directory. Error code %d", GetLastError());
-                        return false;
-                }
-
-                wchar_t* szModuleName = wcsrchr(szModule, L'\\');
-                if (szModuleName == NULL) szModuleName = szModule;
-                else szModuleName = szModuleName + 1;
-                StringCchCat(szTempDir, cchTempDirBuf, szModuleName);
-                StringCchCat(szTempDir, cchTempDirBuf, L"-");
-
-                cchTempDir = (DWORD) wcslen(szTempDir);
-                for (int i = 0; DirectoryExists(szTempDir); i++)
-                {
-                        swprintf_s(szTempDir + cchTempDir, cchTempDirBuf - cchTempDir, L"%d", i);
-                }
-
-                if (!CreateDirectory(szTempDir, NULL))
-                {
-                        Log(hSession, L"Failed to create temp directory. Error code %d", GetLastError());
-                        return false;
-                }
+                Log(hSession, L"Failed to create temp directory. Error code %d", ::GetLastError());
+                return false;
         }
 
         Log(hSession, L"Extracting custom action to temporary directory: %s\\", szTempDir);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.