Skip to content

Under-validated ComSpec and cmd.exe resolution in Mutagen projects

Low severity GitHub Reviewed Published May 4, 2023 in mutagen-io/mutagen • Updated May 5, 2023

Package

gomod github.com/mutagen-io/mutagen (Go)

Affected versions

< 0.16.6
>= 0.17.0, < 0.17.1

Patched versions

0.16.6
0.17.1

Description

Impact

Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard %ComSpec% mechanism, with a fallback to a %PATH%-based search for cmd.exe. While this is the standard practice on Windows systems, it presents somewhat risky behavior.

Firstly, %ComSpec% could, in theory, be set maliciously. Unfortunately, there's not much that can be done to prevent this attack surface, because %ComSpec% is the official mechanism for shell specification on Windows. We can, however, validate that it points to an absolute path, which one would expect for a properly set value.

Secondly, a fallback to a relative cmd.exe path, resolved via %PATH%, could be risky. The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a malicious cmd.exe could been resolved in the current working directory. To mitigate this issue, Mutagen now uses the %SystemRoot% environment variable (also validated to be an absolute path) to resolve cmd.exe in the event that %ComSpec% is not set correctly.

Patches

The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.

Workarounds

Maintain control of the environment variable settings on your system, in particular the ComSpec environment variable.

References

More information on %ComSpec% can be found online.

More information on Go's PATH-based lookup changes can be found here, here, and here.

A similar issue that was addressed within the Python subprocess module also provides additional discussion.

References

@xenoscopic xenoscopic published to mutagen-io/mutagen May 4, 2023
Published to the GitHub Advisory Database May 5, 2023
Reviewed May 5, 2023
Last updated May 5, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-fwj4-72fm-c93g

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.