[cmake-developers] Security Report for CMake
Justin Clift
justin at postgresql.org
Thu Jul 21 05:01:51 EDT 2016
On 20 Jul 2016, at 13:58, Brad King <brad.king at kitware.com> wrote:
> On 07/20/2016 02:31 AM, Justin Clift wrote:
>> Amir pointed out there may be other locations with the same
>> unquoted path problem in the template.
>
> Thanks. I'm not very familiar with NSIS or the syntax in the
> template file so we'll be dependent on others to find/fix any
> remaining problems.
k. Are there people who could be proactively reached out to, or
is it more of a "pray and hope for the best" thing? :)
> Meanwhile I've revised the commit message to update the credits:
>
> NSIS: Quote uninstaller path when executing it in a shell
> https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=057f21ae
>
> I've queued this for merge to 'release' for 3.6.1.
Cool. Is there an ETA for that?
Asking because until then, every Windows installer generated by
CMake with CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL enabled will
be bundling a local privilege escalation to Admin.
While that's not "the sky is falling" stuff... ;) it seems like
something better fixed sooner rather than later.
Cyril's question about a CVE is valid too. This should probably
be written up. :)
Do you guys want to do that, or should Cyril begin the process?
Regards and best wishes,
Justin Clift
--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
More information about the cmake-developers
mailing list