[cmake-developers] Security Report for CMake
Justin Clift
justin at postgresql.org
Thu Jul 21 11:49:47 EDT 2016
On 21 Jul 2016, at 15:14, Brad King <brad.king at kitware.com> wrote:
> On 07/21/2016 05:01 AM, Justin Clift wrote:
>> Are there people who could be proactively reached out to, or
>> is it more of a "pray and hope for the best" thing? :)
>
> The latter. If someone familiar with the syntax can add
> precautionary quotes in places they are allowed but missing
> that may help.
k. I've just emailed the people on the git history for the
template file, asking if any of them have the time+skill to
assist. Lets hope. :)
<snip>
> I've revised the commit again to add this information to the
> commit message and the release notes:
>
> NSIS: Quote uninstaller path when executing it in a shell
> https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=11768733
>
>> Cyril's question about a CVE is valid too. This should probably
>> be written up. :)
>>
>> Do you guys want to do that, or should Cyril begin the process?
>
> Please begin one. As now mentioned in the above commit message
> this option was added in CMake 2.8.9 (which was released around
> August 2012).
Cool, thats good info for the CVE. I'll help Cyril with that if
he needs it. :)
> Fortunately CMake's own installers never used this option.
They should be safe to after this. :D
+ Justin
--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
More information about the cmake-developers
mailing list