On Nov 5 17:45, houjingyi wrote: > fhandler_console::create_invisible_console_workaround in > newlib-cygwin\winsup\cygwin\fhandler_console.cc will call CreateProcessW to > create a new hidden process. According to CreateProcessW documention: > > The lpApplicationName parameter can be NULL. In that case, the module name > must be the first white space–delimited token in the lpCommandLine string. > If you are using a long file name that contains a space, use quoted strings > to indicate where the file name ends and the arguments begin; otherwise, > the file name is ambiguous. For example, consider the string "c:\program > files\sub dir\program name". This string can be interpreted in a number of > ways. The system tries to interpret the possibilities in the following > order: > c:\program.exe > c:\program files\sub.exe > c:\program files\sub dir\program.exe > c:\program files\sub dir\program name.exe > > Unfortunately fhandler_console::create_invisible_console_workaround did not > use quote. This problem can be triggered by many ways since > the component was used by other softwares. I can confirm it can at least be > triggered by git(https://git-scm.com/download/win). Just create program.exe > and put it to C:\problem.exe, git-bash.exe creates process mintty.exe, > mintty.exe loads msys-2.0.dll which contains the vulnerable code and > program.exe get executed(I will inform git too). Thanks for the report. I pushed a patch https://sourceware.org/git/?p=newlib-cygwin.git;a=commitdiff;h=530b866c8e47 and created new developer snapshots. Please give the today's snapshot from https://cygwin.com/snapshots/ a try. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer