[cmake-developers] Security Report for CMake

Brad King brad.king at kitware.com
Thu Jul 21 10:14:22 EDT 2016


On 07/21/2016 05:01 AM, Justin Clift wrote:
> Are there people who could be proactively reached out to, or
> is it more of a "pray and hope for the best" thing? :)

The latter.  If someone familiar with the syntax can add
precautionary quotes in places they are allowed but missing
that may help.

>> I've queued this for merge to 'release' for 3.6.1.
> 
> Cool.  Is there an ETA for that?

I'm working to get it out as soon as possible.

> Windows installer generated by
> CMake with CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL enabled will
> be bundling a local privilege escalation to Admin.

I've revised the commit again to add this information to the
commit message and the release notes:

 NSIS: Quote uninstaller path when executing it in a shell
 https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=11768733

> Cyril's question about a CVE is valid too.  This should probably
> be written up. :)
> 
> Do you guys want to do that, or should Cyril begin the process?

Please begin one.  As now mentioned in the above commit message
this option was added in CMake 2.8.9 (which was released around
August 2012).

Fortunately CMake's own installers never used this option.

Thanks,
-Brad


More information about the cmake-developers mailing list