[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #62872] mkoctfile potentially executes uncontr

From: Markus Mützel
Subject: [Octave-bug-tracker] [bug #62872] mkoctfile potentially executes uncontrolled commands
Date: Sun, 7 Aug 2022 05:23:07 -0400 (EDT)


                 Summary: mkoctfile potentially executes uncontrolled commands
                 Project: GNU Octave
               Submitter: mmuetzel
               Submitted: Sun 07 Aug 2022 11:23:04 AM CEST
                Category: Other
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: Need Info
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
                 Release: dev
         Discussion Lock: Any
        Operating System: Any


Follow-up Comments:

Date: Sun 07 Aug 2022 11:23:04 AM CEST By: Markus Mützel <mmuetzel>
GitHub's CodeQL identified a couple of places in `mkoctfile.cc` that might
lead to uncontrolled commands being executed:

`mkoctfile.cc` is generated from `mkoctfile.cc.in`. Afaict, the corresponding
lines in that source are:

IIUC, the concern raised is that the commands that are being executed are
potentially constructed from the values of environment variables, and there is
no check whether those values are "sane".
That's indeed the case: We allow, e.g., to override the default C++ compiler
by setting the environment variable `CXX`. And IIUC, we *want* to allow that.

Afaict, to "exploit" this a user would need to be able to set environment
variables and run commands on the system where `mkoctfile` is running. And,
IIUC, the spawned processes will run with the same rights as `mkoctfile`. So,
the impact is pretty limited, and anything going wrong might be a "user error"
But, I'd like to hear from others if they think differently.


Reply to this item at:


Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]