Re: [cmake-developers] Security Report for CMake
On 21 Jul 2016, at 15:14, Brad King wrote: > On 07/21/2016 05:01 AM, Justin Clift wrote: >> Are there people who could be proactively reached out to, or >> is it more of a "pray and hope for the best" thing? :) > > The latter. If someone familiar with the syntax can add > precautionary quotes in places they are allowed but missing > that may help. k. I've just emailed the people on the git history for the template file, asking if any of them have the time+skill to assist. Lets hope. :) > I've revised the commit again to add this information to the > commit message and the release notes: > > NSIS: Quote uninstaller path when executing it in a shell > https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=11768733 > >> Cyril's question about a CVE is valid too. This should probably >> be written up. :) >> >> Do you guys want to do that, or should Cyril begin the process? > > Please begin one. As now mentioned in the above commit message > this option was added in CMake 2.8.9 (which was released around > August 2012). Cool, thats good info for the CVE. I'll help Cyril with that if he needs it. :) > Fortunately CMake's own installers never used this option. They should be safe to after this. :D + Justin -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
Re: [cmake-developers] Security Report for CMake
On 20 Jul 2016, at 13:58, Brad King wrote: > On 07/20/2016 02:31 AM, Justin Clift wrote: >> Amir pointed out there may be other locations with the same >> unquoted path problem in the template. > > Thanks. I'm not very familiar with NSIS or the syntax in the > template file so we'll be dependent on others to find/fix any > remaining problems. k. Are there people who could be proactively reached out to, or is it more of a "pray and hope for the best" thing? :) > Meanwhile I've revised the commit message to update the credits: > > NSIS: Quote uninstaller path when executing it in a shell > https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=057f21ae > > I've queued this for merge to 'release' for 3.6.1. Cool. Is there an ETA for that? Asking because until then, every Windows installer generated by CMake with CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL enabled will be bundling a local privilege escalation to Admin. While that's not "the sky is falling" stuff... ;) it seems like something better fixed sooner rather than later. Cyril's question about a CVE is valid too. This should probably be written up. :) Do you guys want to do that, or should Cyril begin the process? Regards and best wishes, Justin Clift -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
Re: [cmake-developers] Security Report for CMake
On 19 Jul 2016, at 21:29, Brad King wrote: > On 07/19/2016 01:46 PM, Cyril VALLICARI wrote: >> Here a Patch that correct the vulnerability > > Thanks, applied: > > NSIS: Quote uninstaller path when executing it in a shell > https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=01e1f694 > > -Brad Oops, it kind of looks like Cyril forgot to mention there could be further problems in the same template file. The initial line was pointed out by Amir Szekely (NSIS project) as below, while we were trying to figure out where the unquoted path problem in sqlitebrowser's package was coming from. ;) Amir pointed out there may be other locations with the same unquoted path problem in the template. In my testing for a solution for sqlitebrowser's package, the one I fixed was definitely an issue, easily replicated. I'm not sure where the unquoted registry string would be used from. It didn't seem to be used as such from Windows Control Panel -> Add/Remove Programs. So, I ignored it. ;) I don't know enough about CPack to know what other bits I may have missed though, nor if that unquoted string in the registry could be a problem in some other way. Thoughts? :) Regards and best wishes, Justin Clift Begin forwarded message: > From: Amir Szekely > Subject: Re: Security report for NSIS > Date: 15 July 2016 01:33:12 BST > To: Cyril VALLICARI , jus...@postgresql.org > > This seems to be a bug in CPack: > > https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L916 > > That's the line where it executes the uninstaller without quotes. There may > be more than one place. > > They are also writing an unquoted string to to the registry: > > https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L655 > > For a quick fix, you can turn off CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL. [snip] -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers