On 19 Jul 2016, at 21:29, Brad King <brad.k...@kitware.com> wrote: > On 07/19/2016 01:46 PM, Cyril VALLICARI wrote: >> Here a Patch that correct the vulnerability > > Thanks, applied: > > NSIS: Quote uninstaller path when executing it in a shell > https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=01e1f694 > > -Brad
Oops, it kind of looks like Cyril forgot to mention there could be further problems in the same template file. The initial line was pointed out by Amir Szekely (NSIS project) as below, while we were trying to figure out where the unquoted path problem in sqlitebrowser's package was coming from. ;) Amir pointed out there may be other locations with the same unquoted path problem in the template. In my testing for a solution for sqlitebrowser's package, the one I fixed was definitely an issue, easily replicated. I'm not sure where the unquoted registry string would be used from. It didn't seem to be used as such from Windows Control Panel -> Add/Remove Programs. So, I ignored it. ;) I don't know enough about CPack to know what other bits I may have missed though, nor if that unquoted string in the registry could be a problem in some other way. Thoughts? :) Regards and best wishes, Justin Clift Begin forwarded message: > From: Amir Szekely <kic...@gmail.com> > Subject: Re: Security report for NSIS > Date: 15 July 2016 01:33:12 BST > To: Cyril VALLICARI <c.vallic...@gmail.com>, jus...@postgresql.org > > This seems to be a bug in CPack: > > https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L916 > > That's the line where it executes the uninstaller without quotes. There may > be more than one place. > > They are also writing an unquoted string to to the registry: > > https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L655 > > For a quick fix, you can turn off CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL. [snip] -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers