Hello, While working on sqlitebrowser security (which use CMake) i've found that the installer execute an unquoted command when it call for the uninstall command.
POC Screenshot in attached file Which allow a Privilege Escalation as described here : cwe.mitre.org/data/definitions/428.html After diggin a little bit more with sqlitebrowser team we found out that this line is the problem https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L916 This : ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file Should be : + ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file Here a Patch that correct the vulnerability https://github.com/justinclift/CMake/commit/af65a04f690e1d6e6e2d3aa3467116689ab12b4f We've test this it works fine and fully correct the vulnerability :) If you ever reward such report let me know and please, if you can, credit me for the report Best Regards Cyril Vallicari / Ug_0 Security
-- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
