Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: n...@packages.debian.org, christian.fra...@t-online.de
Control: affects -1 + src:nsis
Please update nsis 3.08-3 to 3.09.
[ Reason ]
Generated installers contain invalid relocation information, see
Bug#1050288. This is a regression introduced by a changed behavior
of the MinGW-w64 toolchain.
nsis 3.06.1-1 on bullseye is not affected because an older version
of the toolchain is used.
nsis-3.09-1 on trixie is not affected because NSIS upstream
addressed this problem in release 3.09.
This update also fixes security vulnerability CVE-2023-37378,
see Bug#1040880.
[ Impact ]
Large installers may work on Windows, but small installers do not.
Even if an installer works, warning messages from security scanners
may be triggered because the file is considered corrupt.
[ Tests ]
Create a small installer with makensis.
The problem is fixed if 'objdump -p' does no longer complain
"BFD: error: FILE.exe(.reloc) is too large"
and the size of the '.reloc' section is 0.
See Bug#1050288 for details.
[ Risks ]
NSIS 3.09 is the official upstream release proven to work for
some time now.