* report security problem
@ 2019-11-05 9:45 houjingyi
2019-11-05 11:17 ` Corinna Vinschen
0 siblings, 1 reply; 2+ messages in thread
From: houjingyi @ 2019-11-05 9:45 UTC (permalink / raw)
To: cygwin
fhandler_console::create_invisible_console_workaround in
newlib-cygwin\winsup\cygwin\fhandler_console.cc will call CreateProcessW to
create a new hidden process. According to CreateProcessW documention:
The lpApplicationName parameter can be NULL. In that case, the module name
must be the first white space–delimited token in the lpCommandLine string.
If you are using a long file name that contains a space, use quoted strings
to indicate where the file name ends and the arguments begin; otherwise,
the file name is ambiguous. For example, consider the string "c:\program
files\sub dir\program name". This string can be interpreted in a number of
ways. The system tries to interpret the possibilities in the following
order:
c:\program.exe
c:\program files\sub.exe
c:\program files\sub dir\program.exe
c:\program files\sub dir\program name.exe
Unfortunately fhandler_console::create_invisible_console_workaround did not
use quote. This problem can be triggered by many ways since
the component was used by other softwares. I can confirm it can at least be
triggered by git(https://git-scm.com/download/win). Just create program.exe
and put it to C:\problem.exe, git-bash.exe creates process mintty.exe,
mintty.exe loads msys-2.0.dll which contains the vulnerable code and
program.exe get executed(I will inform git too).
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: report security problem
2019-11-05 9:45 report security problem houjingyi
@ 2019-11-05 11:17 ` Corinna Vinschen
0 siblings, 0 replies; 2+ messages in thread
From: Corinna Vinschen @ 2019-11-05 11:17 UTC (permalink / raw)
To: houjingyi; +Cc: cygwin
[-- Attachment #1: Type: text/plain, Size: 1743 bytes --]
On Nov 5 17:45, houjingyi wrote:
> fhandler_console::create_invisible_console_workaround in
> newlib-cygwin\winsup\cygwin\fhandler_console.cc will call CreateProcessW to
> create a new hidden process. According to CreateProcessW documention:
>
> The lpApplicationName parameter can be NULL. In that case, the module name
> must be the first white space–delimited token in the lpCommandLine string.
> If you are using a long file name that contains a space, use quoted strings
> to indicate where the file name ends and the arguments begin; otherwise,
> the file name is ambiguous. For example, consider the string "c:\program
> files\sub dir\program name". This string can be interpreted in a number of
> ways. The system tries to interpret the possibilities in the following
> order:
> c:\program.exe
> c:\program files\sub.exe
> c:\program files\sub dir\program.exe
> c:\program files\sub dir\program name.exe
>
> Unfortunately fhandler_console::create_invisible_console_workaround did not
> use quote. This problem can be triggered by many ways since
> the component was used by other softwares. I can confirm it can at least be
> triggered by git(https://git-scm.com/download/win). Just create program.exe
> and put it to C:\problem.exe, git-bash.exe creates process mintty.exe,
> mintty.exe loads msys-2.0.dll which contains the vulnerable code and
> program.exe get executed(I will inform git too).
Thanks for the report. I pushed a patch
https://sourceware.org/git/?p=newlib-cygwin.git;a=commitdiff;h=530b866c8e47
and created new developer snapshots. Please give the today's
snapshot from https://cygwin.com/snapshots/ a try.
Thanks,
Corinna
--
Corinna Vinschen
Cygwin Maintainer
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-05 11:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-05 9:45 report security problem houjingyi
2019-11-05 11:17 ` Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).