Package: nsis
Version: 3.08-3
Severity: important
makensis 3.08-3 on bookworm creates installers with a non-empty
relocation section which contains garbage.
The installers work, but trigger false positive warnings from security
scanners, likely due to exe file corruption.
Testcase:
$ dpkg --list nsis nsis-common
...
ii nsis 3.08-3 amd64 ...
ii nsis-common 3.08-3 all ...
$ cat test.nsi
Section "Empty"
SectionEnd
$ makensis test.nsi
...
$ objdump -p test.exe >/dev/null
objdump: error: test.exe(.reloc) is too large (0x8e4 bytes)
$ objdump -p test.exe 2>/dev/null
...
Entry 5 00047000 000008e4 Base Relocation Directory [.reloc]
...
$ objdump -p /usr/share/nsis/Stubs/zlib-x86-unicode
...
Entry 5 00047000 000008e4 Base Relocation Directory [.reloc]
...
PE File Base Relocations (interpreted .reloc section contents)
Virtual Address: 00001000 Chunk size 196 (0xc4) Number of fixups 94
reloc 0 offset 2b [102b] HIGHLOW
reloc 1 offset 40 [1040] HIGHLOW
...
Virtual Address: 0000c000 Chunk size 216 (0xd8) Number of fixups 104
reloc 1 offset 8 [c008] HIGHLOW
reloc 2 offset c [c00c] HIGHLOW
...
reloc 102 offset 8f8 [c8f8] HIGHLOW
reloc 103 offset 8fc [c8fc] HIGHLOW
All the stubs apparently have a non-empty relocation section with
garbage. This is not the case for the stubs from nsis-common-3.06.1-1
(bullseye) and nsis-common-3.09-1 (sid).
This is also not the case with the upstream 3.08 and 3.09 builds for
windows which are available at
https://sourceforge.net/projects/nsis/files/NSIS%203/
Related: https://sourceforge.net/p/nsis/bugs/1299/
--
Regards
Christian Franke
smartmontools.org