Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg1YzcteDdtMi1yaG1m

Local directory executable lookup in sops (Windows-only)

Impact

Windows users using the sops direct editor option (sops file.yaml) can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe

This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using cmd.exe or the Windows C library SearchPath function. This is a result of these Windows tools including . within their PATH by default.

If you are using sops within untrusted directories on Windows via cmd.exe, please upgrade immediately

As well, if you have . within your default $PATH, please upgrade immediately.

More information can be found on the official Go blog: https://blog.golang.org/path-security

Patches

The problem has been resolved in v3.7.1

Now, if Windows users using cmd.exe run into this issue, a warning message will be printed:
vim resolves to executable in current directory (.\vim.exe)

References

• https://blog.golang.org/path-security

For more information

If you have any questions or comments about this advisory:

• Open a discussion in sops

Permalink: https://github.com/advisories/GHSA-x5c7-x7m2-rhmf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg1YzcteDdtMi1yaG1m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

Identifiers: GHSA-x5c7-x7m2-rhmf
References:

• https://github.com/mozilla/sops/security/advisories/GHSA-x5c7-x7m2-rhmf
• https://github.com/advisories/GHSA-x5c7-x7m2-rhmf

Repository: https://github.com/mozilla/sops
Blast Radius: 0.0

Affected Packages