[cmake-developers] Security Report for CMake
Cyril VALLICARI
c.vallicari at gmail.com
Tue Jul 19 13:46:50 EDT 2016
Hello,
While working on sqlitebrowser security (which use CMake) i've found that
the installer
execute an unquoted command when it call for the uninstall command.
POC Screenshot in attached file
Which allow a Privilege Escalation as described here :
cwe.mitre.org/data/definitions/428.html
After diggin a little bit more with sqlitebrowser team we found out that
this line is the problem
https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L916
This :
ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file
Should be :
+ ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file
Here a Patch that correct the vulnerability
https://github.com/justinclift/CMake/commit/af65a04f690e1d6e6e2d3aa3467116689ab12b4f
We've test this it works fine and fully correct the vulnerability :)
If you ever reward such report let me know and please, if you can, credit
me for the report
Best Regards
Cyril Vallicari / Ug_0 Security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/cmake-developers/attachments/20160719/108aa456/attachment-0001.html>
More information about the cmake-developers
mailing list