From 6c66af0fd0879ed3ae2dd40e5587a070a2130140 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 10 Apr 2024 12:17:10 +1000 Subject: [PATCH] HSEC-2024-0003: add acknowledgements + other improvements --- advisories/hackage/process/HSEC-2024-0003.md | 25 ++++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/advisories/hackage/process/HSEC-2024-0003.md b/advisories/hackage/process/HSEC-2024-0003.md index db290730..db7f05d3 100644 --- a/advisories/hackage/process/HSEC-2024-0003.md +++ b/advisories/hackage/process/HSEC-2024-0003.md @@ -24,7 +24,7 @@ fixed = "1.6.19.0" # process: command injection via argument list on Windows The *process* library on Windows is vulnerable to a command injection -vulnerability, via `cmd.exe`'s interpretation of arguments. Processes that +vulnerability, via `cmd.exe`'s interpretation of arguments. Programs that invoke batch files (`.bat`, `.cmd`) and pass arguments whose values are affected by program inputs may be affected. @@ -32,6 +32,8 @@ This issue was discovered in many programming languages' Windows process execution behaviour. It was tracked by CERT/CC as **VU#123335** and a coordinated disclosure was made on 2024-04-09 17:00 UTC. +A fix was released in *process-1.6.19.0*. + ## Background @@ -121,16 +123,29 @@ that include special characters including `&` and `"`. ## Fix versions *process* was modified to perform additional escaping and quoting -when executing `.bat` and `.cmd` files on Windows. +when executing `.bat` and `.cmd` files on Windows (ignoring +character case). The behaviour is unchanged in all other cases. The fix was released in ***process-1.6.19.0***. It will be included in the next GHC 9.10 alpha. Such a change in semantics should normally result in a major version -bump. Because we expect very few (if any) users are affected by -this vulnerability, the GHC team made a pragmatic decision to avoid -the disruption that a major version bump would cause. +bump. Because we expect very few (if any) users will be impacted by +the behavioural change, the GHC team made a pragmatic decision to +avoid the disruption that a major version bump would cause. Backports to earlier releases of *process* for still-maintained branches of GHC will be considered in accordance with the regular release schedule. + + +## Acknowledgements + +Security researcher **RyotaK** discovered and responsibly disclosed +this vulnerability, coordinating the response across the many +affected langauges and ecosystems. + +Ben Gamari commited and released the fix, which was based on a +proposal by Fraser Tweedale. Fraser also improved the +`System.Process` module documentation to better explain the Windows +semantics.