Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HSEC-2024-0003: add acknowledgements + other improvements #189

Merged
merged 1 commit into from
Apr 10, 2024
Merged

HSEC-2024-0003: add acknowledgements + other improvements #189

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 20 additions & 5 deletions advisories/hackage/process/HSEC-2024-0003.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,16 @@ fixed = "1.6.19.0"
# process: command injection via argument list on Windows

The *process* library on Windows is vulnerable to a command injection
vulnerability, via `cmd.exe`'s interpretation of arguments. Processes that
vulnerability, via `cmd.exe`'s interpretation of arguments. Programs that
invoke batch files (`.bat`, `.cmd`) and pass arguments whose values are
affected by program inputs may be affected.

This issue was discovered in many programming languages' Windows process
execution behaviour. It was tracked by CERT/CC as **VU#123335** and a
coordinated disclosure was made on 2024-04-09 17:00 UTC.

A fix was released in *process-1.6.19.0*.


## Background

Expand Down Expand Up @@ -121,16 +123,29 @@ that include special characters including `&` and `"`.
## Fix versions

*process* was modified to perform additional escaping and quoting
when executing `.bat` and `.cmd` files on Windows.
when executing `.bat` and `.cmd` files on Windows (ignoring
character case). The behaviour is unchanged in all other cases.

The fix was released in ***process-1.6.19.0***. It will be
included in the next GHC 9.10 alpha.

Such a change in semantics should normally result in a major version
bump. Because we expect very few (if any) users are affected by
this vulnerability, the GHC team made a pragmatic decision to avoid
the disruption that a major version bump would cause.
bump. Because we expect very few (if any) users will be impacted by
the behavioural change, the GHC team made a pragmatic decision to
avoid the disruption that a major version bump would cause.

Backports to earlier releases of *process* for still-maintained
branches of GHC will be considered in accordance with the regular
release schedule.


## Acknowledgements

Security researcher **RyotaK** discovered and responsibly disclosed
this vulnerability, coordinating the response across the many
affected langauges and ecosystems.

Ben Gamari commited and released the fix, which was based on a
proposal by Fraser Tweedale. Fraser also improved the
`System.Process` module documentation to better explain the Windows
semantics.