Merge pull request from GHSA-h7pp-6jqw-g3pj

nvaccess · Jan 22, 2024 · 64e6413 · 64e6413
1 parent d5e2b6b
commit 64e6413
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 14 deletions.
diff --git a/source/appModules/nvda.py b/source/appModules/nvda.py
@@ -253,16 +253,3 @@ def chooseNVDAObjectOverlayClasses(self, obj, clsList):
 		elif self.isNvdaPythonConsoleUIOutputCtrl(obj):
 			clsList.insert(0, NvdaPythonConsoleUIOutputClear)
 			clsList.insert(0, NvdaPythonConsoleUIOutputCtrl)
-
-	@gui.blockAction.when(
-		gui.blockAction.Context.SECURE_MODE,
-		gui.blockAction.Context.WINDOWS_LOCKED,
-	)
-	@script(gesture="kb:control+v")
-	def script_paste(self, gesture: "inputCore.InputGesture") -> None:
-		# This function has no description and does not appear in input gestures
-		# as it should not be modified by the user.
-		# This function processes the paste gesture when performed in NVDA windows for security reasons.
-		# When in secure mode, or while Windows is locked, the default paste behaviour is blocked.
-		# Refer to this NVDA security advisory for details: https://github.com/nvaccess/nvda/security/advisories/GHSA-h7pp-6jqw-g3pj
-		gesture.send()
diff --git a/source/buildVersion.py b/source/buildVersion.py
@@ -67,7 +67,7 @@ def formatVersionForGUI(year, major, minor):
 name = "NVDA"
 version_year = 2023
 version_major = 3
-version_minor = 1
+version_minor = 2
 version_build = 0  # Should not be set manually. Set in 'sconscript' provided by 'appVeyor.yml'
 version=_formatDevVersionString()
 publisher="unknown"

diff --git a/source/core.py b/source/core.py
@@ -566,6 +566,11 @@ def main():
 		speech.speakMessage(_("Loading NVDA. Please wait..."))
 	import wx
 	import six
+
+	# Disables wx logging in secure mode due to a security issue: GHSA-h7pp-6jqw-g3pj
+	# This is due to the wx.LogSysError dialog allowing a file explorer dialog to be opened.
+	wx.Log.EnableLogging(not globalVars.appArgs.secure)
+
 	log.info("Using wx version %s with six version %s"%(wx.version(), six.__version__))
 	class App(wx.App):
 		def OnAssert(self,file,line,cond,msg):

diff --git a/user_docs/en/changes.t2t b/user_docs/en/changes.t2t
@@ -4,6 +4,18 @@ What's New in NVDA
 %!includeconf: ../changes.t2tconf
 %!includeconf: ./locale.t2tconf
 
+= 2023.3.2 =
+This is a patch release to fix a security issue.
+The security patch in 2023.3.1 was not resolved correctly.
+Please responsibly disclose security issues following NVDA's [security policy https://github.com/nvaccess/nvda/blob/master/security.md].
+
+== Security Fixes ==
+- The security patch in 2023.3.1 was not resolved correctly.
+Prevents possible system access and arbitrary code execution with system privileges for unauthenticated users.
+([GHSA-h7pp-6jqw-g3pj https://github.com/nvaccess/nvda/security/advisories/GHSA-h7pp-6jqw-g3pj])
+-
+
+
 = 2023.3.1 =
 This is a patch release to fix a security issue.
 Please responsibly disclose security issues following NVDA's [security policy https://github.com/nvaccess/nvda/blob/master/security.md].