--- /dev/null
+diff --git a/nsis-3.0b3-src/SCons/Config/ms b/nsis-3.0b3-src/SCons/Config/ms
+index 32d3d33..d2c4d25 100644
+--- a/nsis-3.0b3-src/SCons/Config/ms
++++ b/nsis-3.0b3-src/SCons/Config/ms
+@@ -16,7 +16,7 @@ def entry(x,u):
+
+ defenv['ENTRY_FLAG'] = entry
+ defenv['MAP_FLAG'] = '/map'
+-defenv['NODEFLIBS_FLAG'] = '/NODEFAULTLIB'
++#defenv['NODEFLIBS_FLAG'] = '/NODEFAULTLIB'
+ defenv['C_FLAG'] = '/TC'
+ defenv['CPP_FLAG'] = '/TP'
+ defenv['CPP_REQUIRES_STDLIB'] = 0
+@@ -29,7 +29,7 @@ defenv['STDCALL'] = '__stdcall'
+ msvs_version = float(defenv['MSVS_VERSION'].replace('Exp',''))
+ if msvs_version >= 8.0:
+ defenv['EXCEPTION_FLAG'] = '/EHsc'
+- defenv.Append(CCFLAGS = ['/GS-'])
++ defenv.Append(CCFLAGS = ['/GS'])
+ defenv.Append(CPPDEFINES = ['_CRT_SECURE_NO_WARNINGS', '_CRT_NONSTDC_NO_WARNINGS', '_CRT_SECURE_NO_DEPRECATE', '_CRT_NON_CONFORMING_SWPRINTFS'])
+ defenv['MSVCRT_FLAG'] = '/MT' # Avoid msvcr?0.dll dependency
+ else:
+@@ -143,9 +143,9 @@ stub_env.Append(CCFLAGS = ['/Fa${TARGET}.lst']) # listing file name
+ stub_env.Append(LINKFLAGS = ['$NODEFLIBS_FLAG']) # no default libraries
+ stub_env.Append(LINKFLAGS = ['$MAP_FLAG']) # generate map file
+
+-if msvs_version >= 10.0:
+- # no relocations that our resource editor ignores
+- stub_env.Append(LINKFLAGS = ['/FIXED'])
++#if msvs_version >= 10.0:
++# # no relocations that our resource editor ignores
++# stub_env.Append(LINKFLAGS = ['/FIXED'])
+
+ stub_uenv = stub_env.Clone()
+ stub_uenv.Append(CPPDEFINES = ['_UNICODE', 'UNICODE'])
+diff --git a/nsis-3.0b3-src/Source/exehead/Main.c b/nsis-3.0b3-src/Source/exehead/Main.c
+index eb231e7..e4642ce 100644
+--- a/nsis-3.0b3-src/Source/exehead/Main.c
++++ b/nsis-3.0b3-src/Source/exehead/Main.c
+@@ -84,6 +84,7 @@ void *g_SHGetFolderPath;
+ NSIS_ENTRYPOINT_GUINOCRT
+ EXTERN_C void NSISWinMainNOCRT()
+ {
++ __security_init_cookie();
+ int ret = 0;
+ const TCHAR *m_Err = _LANG_ERRORWRITINGTEMP;
+
\r
1a. Note that the NSIS binary version available at\r
http://nsis.sourceforge.net/Download is not built with\r
- NSIS_CONFIG_LOG=yes and NSIS_MAX_STRLEN=8192 set, so you may have\r
- to build NSIS from source with these flags set. The source for\r
- NSIS 3.0.b3 is available from\r
+ NSIS_CONFIG_LOG=yes and NSIS_MAX_STRLEN=8192 set. Also, changes to need\r
+ to be made to NSIS to increase the security of the Runtime Installer.\r
+\r
+ The source for NSIS 3.0.b3 can be downloaded from\r
https://sourceforge.net/projects/nsis/files/NSIS%203%20Pre-release/3.0b3/nsis-3.0b3-src.tar.bz2/download\r
\r
Instructions for building NSIS are available at\r
http://nsis//sourceforge.net/Docs/AppendixG.html.\r
\r
- To increase the security of the Runtime Installer - specifically\r
- enabling buffer overrun security checks and enabling address space\r
- layout randomization (ASLR), these changes should be made to the NSIS source file\r
- nsis-3.0b3-src/SCons/Config/ms:\r
+ The security changes to NSIS involve adding the /DYMANICBASE and /GS options\r
+ to the NSIS compile/link steps, so that the Runtime Installer and Uninstaller\r
+ are built with address space layout randomization and buffer overrun checks.\r
\r
- - comment out the line enabling the /FIXED linker option\r
- - change the line that sets the /GS- compile option to instead set the /GS compile option\r
- - comment out the line that sets the NODEFLIBS_FLAG to /NODEFAULTLIB\r
+ The security changes to NSIS can be made by applying the patch in the\r
+ NSIS_Security.patch file in this folder.\r
\r
- The command to build NSIS from source:\r
+ After you have applied the security patch, build NSIS with this command:\r
\r
scons SKIPUTILS="NSIS Menu","MakeLangId" UNICODE=yes \\r
ZLIB_W32=<path_to_zlib>\zlib-1.2.7-win32-x86 NSIS_MAX_STRLEN=8192 \\r
NSIS_CONFIG_LOG=yes NSIS_CONFIG_LOG_TIMESTAMP=yes \\r
APPEND_CCFLAGS="/DYNAMICBASE /Zi" APPEND_LINKFLAGS="/DYNAMICBASE \\r
/DEBUG /OPT:REF /OPT:ICF" SKIPDOC=all dist-zip\r
- \r
+\r
This will create a zip file in the nsis-3.0.b3-src directory. Unpack\r
the zip file anywhere on your system. The resulting tree will contain a\r
- Plugins directory. Install the NSIS AccessControl plugin in this\r
- directory. Add the Bin directory to your PATH enviroment variable so that\r
- the CreateInstaller.sh script below will use your custom-built version of\r
+ Plugins directory. Install the NSIS AccessControl plugin in this directory.\r
+ Add the Bin directory to your PATH enviroment variable so that the\r
+ CreateInstaller.sh step below will use your custom-built version of\r
NSIS.\r
\r
Before using NSIS and creating the installer, make sure that all shared\r