octave-bug-tracker
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #62872] mkoctfile potentially executes uncontr


From: Markus Mützel
Subject: [Octave-bug-tracker] [bug #62872] mkoctfile potentially executes uncontrolled commands
Date: Sun, 7 Aug 2022 05:23:07 -0400 (EDT)

URL:
  <https://savannah.gnu.org/bugs/?62872>

                 Summary: mkoctfile potentially executes uncontrolled commands
                 Project: GNU Octave
               Submitter: mmuetzel
               Submitted: Sun 07 Aug 2022 11:23:04 AM CEST
                Category: Other
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: Need Info
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
                 Release: dev
         Discussion Lock: Any
        Operating System: Any


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Sun 07 Aug 2022 11:23:04 AM CEST By: Markus Mützel <mmuetzel>
GitHub's CodeQL identified a couple of places in `mkoctfile.cc` that might
lead to uncontrolled commands being executed:
https://github.com/gnu-octave/octave/security/code-scanning/31
https://github.com/gnu-octave/octave/security/code-scanning/32
https://github.com/gnu-octave/octave/security/code-scanning/33

`mkoctfile.cc` is generated from `mkoctfile.cc.in`. Afaict, the corresponding
lines in that source are:
https://hg.savannah.gnu.org/hgweb/octave/file/7f4ad92265d2/src/mkoctfile.in.cc#l596
https://hg.savannah.gnu.org/hgweb/octave/file/7f4ad92265d2/src/mkoctfile.in.cc#l1151
https://hg.savannah.gnu.org/hgweb/octave/file/7f4ad92265d2/src/mkoctfile.in.cc#l1091

IIUC, the concern raised is that the commands that are being executed are
potentially constructed from the values of environment variables, and there is
no check whether those values are "sane".
That's indeed the case: We allow, e.g., to override the default C++ compiler
by setting the environment variable `CXX`. And IIUC, we *want* to allow that.

Afaict, to "exploit" this a user would need to be able to set environment
variables and run commands on the system where `mkoctfile` is running. And,
IIUC, the spawned processes will run with the same rights as `mkoctfile`. So,
the impact is pretty limited, and anything going wrong might be a "user error"
imho.
But, I'd like to hear from others if they think differently.








    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62872>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]