Skip to content

Commit

Permalink
Update HSEC-2024-0003 with new fix
Browse files Browse the repository at this point in the history
  • Loading branch information
TristanCacqueray authored and frasertweedale committed Oct 2, 2024
1 parent 08a0b53 commit d5d7caf
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion advisories/hackage/process/HSEC-2024-0003.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,13 @@ url = "https://kb.cert.org/vuls/id/123335"
type = "FIX"
url = "https://github.com/haskell/process/commit/3c419f9eeedac024c9dccce544e5a6fb587179a5"

[[references]]
type = "FIX"
url = "https://github.com/haskell/process/commit/951b02dd95559b1a26f2456bfb97cf740ea40934"

[[references]]
type = "FIX"
url = "https://github.com/haskell/process/commit/5fc91f5f36ed4479be2b95f04f264bb78ac8089d"

[[affected]]
package = "process"
Expand All @@ -26,7 +33,7 @@ cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"

[[affected.versions]]
introduced = "1.0.0.0"
fixed = "1.6.19.0"
fixed = "1.6.23.0"
```

# process: command injection via argument list on Windows
Expand Down Expand Up @@ -147,6 +154,10 @@ bump. Because we expect very few (if any) users will be impacted by
the behavioural change, the GHC team made a pragmatic decision to
avoid the disruption that a major version bump would cause.
A follow-up fix was released in ***process-1.6.23.0*** to handle batch
scripts with paths ending in whitespace and periods and
unescaped `%` expansions.
## Acknowledgements
Expand All @@ -158,3 +169,7 @@ Ben Gamari commited and released the fix, which was based on a
proposal by Fraser Tweedale. Fraser also improved the
`System.Process` module documentation to better explain the Windows
semantics.
Security researcher **Kainan Zhang** (@4xpl0r3r) discovered and
responsibly disclosing the issue in the first fix and the Rust
Security Response WG coordinated the response.

0 comments on commit d5d7caf

Please sign in to comment.