Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1md2o0LTcyZm0tYzkzZ84AAzGI
Under-validated ComSpec and cmd.exe resolution in Mutagen projects
Impact
Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard %ComSpec% mechanism, with a fallback to a %PATH%-based search for cmd.exe. While this is the standard practice on Windows systems, it presents somewhat risky behavior.
Firstly, %ComSpec% could, in theory, be set maliciously. Unfortunately, there's not much that can be done to prevent this attack surface, because %ComSpec% is the official mechanism for shell specification on Windows. We can, however, validate that it points to an absolute path, which one would expect for a properly set value.
Secondly, a fallback to a relative cmd.exe path, resolved via %PATH%, could be risky. The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a malicious cmd.exe could been resolved in the current working directory. To mitigate this issue, Mutagen now uses the %SystemRoot% environment variable (also validated to be an absolute path) to resolve cmd.exe in the event that %ComSpec% is not set correctly.
Patches
The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.
Workarounds
Maintain control of the environment variable settings on your system, in particular the ComSpec environment variable.
References
More information on %ComSpec% can be found online.
More information on Go's PATH-based lookup changes can be found here, here, and here.
A similar issue that was addressed within the Python subprocess module also provides additional discussion.
Permalink: https://github.com/advisories/GHSA-fwj4-72fm-c93gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1md2o0LTcyZm0tYzkzZ84AAzGI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 1 year ago
Updated: almost 1 year ago
Identifiers: GHSA-fwj4-72fm-c93g
References:
- https://github.com/mutagen-io/mutagen/security/advisories/GHSA-fwj4-72fm-c93g
- https://github.com/advisories/GHSA-fwj4-72fm-c93g
Blast Radius: 0.0
Affected Packages
go:github.com/mutagen-io/mutagen
Dependent packages: 6Dependent repositories: 6
Downloads:
Affected Version Ranges: >= 0.17.0, < 0.17.1, < 0.16.6
Fixed in: 0.17.1, 0.16.6
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.17.0
All unaffected versions: 0.16.6, 0.17.1, 0.17.2, 0.17.3, 0.17.4