From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 56835 invoked by alias); 5 Nov 2019 11:17:45 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 56820 invoked by uid 89); 5 Nov 2019 11:17:45 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-104.3 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=H*F:D*cygwin.com X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (217.72.192.73) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 05 Nov 2019 11:17:43 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue106 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MTAW9-1iMgRP1pRX-00UWqd; Tue, 05 Nov 2019 12:17:40 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 5AC36A80A5B; Tue, 5 Nov 2019 12:17:39 +0100 (CET) Date: Tue, 05 Nov 2019 11:17:00 -0000 From: Corinna Vinschen To: houjingyi Cc: cygwin@cygwin.com Subject: Re: report security problem Message-ID: <20191105111739.GN3372@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: houjingyi , cygwin@cygwin.com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="+Hr//EUsa8//ouuB" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) X-SW-Source: 2019-11/txt/msg00020.txt.bz2 --+Hr//EUsa8//ouuB Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1735 On Nov 5 17:45, houjingyi wrote: > fhandler_console::create_invisible_console_workaround in > newlib-cygwin\winsup\cygwin\fhandler_console.cc will call CreateProcessW = to > create a new hidden process. According to CreateProcessW documention: >=20 > The lpApplicationName parameter can be NULL. In that case, the module name > must be the first white space=E2=80=93delimited token in the lpCommandLin= e string. > If you are using a long file name that contains a space, use quoted strin= gs > to indicate where the file name ends and the arguments begin; otherwise, > the file name is ambiguous. For example, consider the string "c:\program > files\sub dir\program name". This string can be interpreted in a number of > ways. The system tries to interpret the possibilities in the following > order: > c:\program.exe > c:\program files\sub.exe > c:\program files\sub dir\program.exe > c:\program files\sub dir\program name.exe >=20 > Unfortunately fhandler_console::create_invisible_console_workaround did n= ot > use quote. This problem can be triggered by many ways since > the component was used by other softwares. I can confirm it can at least = be > triggered by git(https://git-scm.com/download/win). Just create program.e= xe > and put it to C:\problem.exe, git-bash.exe creates process mintty.exe, > mintty.exe loads msys-2.0.dll which contains the vulnerable code and > program.exe get executed(I will inform git too). Thanks for the report. I pushed a patch https://sourceware.org/git/?p=3Dnewlib-cygwin.git;a=3Dcommitdiff;h=3D530b= 866c8e47 and created new developer snapshots. Please give the today's snapshot from https://cygwin.com/snapshots/ a try. Thanks, Corinna --=20 Corinna Vinschen Cygwin Maintainer --+Hr//EUsa8//ouuB Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAl3BWlMACgkQ9TYGna5E T6AIDA//eXGOtXrgF4DJTF0fxbNwcxKfltCk/nUsYdsIIuOE7IL98Q5LfXnCrowA MOhR6mWtQHd04Pn3c6/cHauQMJ4Rob0V944U1FLk7/xY6aPta1rAmo8jsoCmHu4T DGMr8b50hEQoaM+Tc8GKNWPaxe31UsI1kssJ/XtM3JihGoN9R4cUJ2Bre88SncuU IAnhtfVQZcDy06kW0qwUe6XMnCdF2latbJxSzJjtwOPHQSRy67UI8kL7yHoYvCGk dwikcPnYBXeKWrO9NHnUoAK5XdiN1cNwMOYko4PsNu/wEloDkzNnrXXUmTEut1CR nPOs17ilyFGjkw+/ASimUQGvu1Fm6GaZbD3TpmzbjRtKj6CKDwK9AzeQUvBfT3rI HUhw0ngOR/WwiIMj0Q4gHby7TqXGMwUgYw5wTTrhcKfzC/neJgmZHa1bRne8BnY6 tcoVTsCh2sy1hx7Y+jKj5rfQ2erjf623A8+VZfT+I99bi5tVtd4E5wzcSO7+AY18 lmTi/K4vCg3BmakrpvFdw04uMPP4xpvvXVLMpgRsAXhqN3h7knPnsBOc5IpZHCg/ RQUIeCQT2RwgR8k87mSX2E7HhVXkSHWVTVq9SMJ4AR5I/jwZqAa+s7b9lMQ64wzu Lipi9wAbZoEpleITeVsmBRtI8cBMAarl1SYB9Sphd5Qh8yNClUA= =KTcB -----END PGP SIGNATURE----- --+Hr//EUsa8//ouuB--