[cmake-developers] Security Report for CMake

Justin Clift justin at postgresql.org
Wed Jul 20 02:31:36 EDT 2016 

On 19 Jul 2016, at 21:29, Brad King <brad.king at kitware.com> wrote:
> On 07/19/2016 01:46 PM, Cyril VALLICARI wrote:
>> Here a Patch that correct the vulnerability 
> 
> Thanks, applied:
> 
> NSIS: Quote uninstaller path when executing it in a shell
> https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=01e1f694
> 
> -Brad

Oops, it kind of looks like Cyril forgot to mention there could
be further problems in the same template file.  The initial line
was pointed out by Amir Szekely (NSIS project) as below, while we
were trying to figure out where the unquoted path problem in
sqlitebrowser's package was coming from. ;)

Amir pointed out there may be other locations with the same
unquoted path problem in the template.

In my testing for a solution for sqlitebrowser's package, the
one I fixed was definitely an issue, easily replicated.

I'm not sure where the unquoted registry string would be used from.
It didn't seem to be used as such from Windows Control Panel ->
Add/Remove Programs.  So, I ignored it. ;)

I don't know enough about CPack to know what other bits I may have
missed though, nor if that unquoted string in the registry could be
a problem in some other way.

Thoughts? :)

Regards and best wishes,

Justin Clift


Begin forwarded message:
> From: Amir Szekely <kichik at gmail.com>
> Subject: Re: Security report for NSIS
> Date: 15 July 2016 01:33:12 BST
> To: Cyril VALLICARI <c.vallicari at gmail.com>, justin at postgresql.org
> 
> This seems to be a bug in CPack:
> 
> https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L916
> 
> That's the line where it executes the uninstaller without quotes. There may be more than one place.
> 
> They are also writing an unquoted string to to the registry:
> 
> https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L655
> 
> For a quick fix, you can turn off CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL.
[snip]

--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi

More information about the cmake-developers mailing list