[cmake-developers] Security Report for CMake

Justin Clift justin at postgresql.org
Thu Jul 21 05:01:51 EDT 2016


On 20 Jul 2016, at 13:58, Brad King <brad.king at kitware.com> wrote:
> On 07/20/2016 02:31 AM, Justin Clift wrote:
>> Amir pointed out there may be other locations with the same
>> unquoted path problem in the template.
> 
> Thanks.  I'm not very familiar with NSIS or the syntax in the
> template file so we'll be dependent on others to find/fix any
> remaining problems.

k.  Are there people who could be proactively reached out to, or
is it more of a "pray and hope for the best" thing? :)


> Meanwhile I've revised the commit message to update the credits:
> 
> NSIS: Quote uninstaller path when executing it in a shell
> https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=057f21ae
> 
> I've queued this for merge to 'release' for 3.6.1.

Cool.  Is there an ETA for that?

Asking because until then, every Windows installer generated by
CMake with CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL enabled will
be bundling a local privilege escalation to Admin.

While that's not "the sky is falling" stuff... ;) it seems like
something better fixed sooner rather than later.

Cyril's question about a CVE is valid too.  This should probably
be written up. :)

Do you guys want to do that, or should Cyril begin the process?

Regards and best wishes,

Justin Clift

--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi



More information about the cmake-developers mailing list