x/vulndb: potential Go vuln in github.com/mutagen-io/mutagen: GHSA-fwj4-72fm-c93g

[GoVulnBot]

In GitHub Security Advisory GHSA-fwj4-72fm-c93g, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/mutagen-io/mutagen	0.17.1	>= 0.17.0, < 0.17.1

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/mutagen-io/mutagen
    versions:
      - introduced: 0.17.0
        fixed: 0.17.1
    packages:
      - package: github.com/mutagen-io/mutagen
  - module: github.com/mutagen-io/mutagen
    versions:
      - fixed: 0.16.6
    packages:
      - package: github.com/mutagen-io/mutagen
summary: Under-validated ComSpec and cmd.exe resolution in Mutagen projects
description: |
    ### Impact

    Mutagen projects offer shell-based execution functionality.  On Windows, the shell is resolved using the standard `%ComSpec%` mechanism, with a fallback to a `%PATH%`-based search for `cmd.exe`.  While this is the standard practice on Windows systems, it presents somewhat risky behavior.

    Firstly, `%ComSpec%` could, in theory, be set maliciously.  Unfortunately, there's not much that can be done to prevent this attack surface, because `%ComSpec%` is the official mechanism for shell specification on Windows.  We can, however, validate that it points to an absolute path, which one would expect for a properly set value.

    Secondly, a fallback to a relative `cmd.exe` path, resolved via `%PATH%`, could be risky.  The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a malicious `cmd.exe` could been resolved in the current working directory.  To mitigate this issue, Mutagen now uses the `%SystemRoot%` environment variable (also validated to be an absolute path) to resolve `cmd.exe` in the event that `%ComSpec%` is not set correctly.


    ### Patches

    The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.


    ### Workarounds

    Maintain control of the environment variable settings on your system, in particular the `ComSpec` environment variable.

    ### References

    More information on `%ComSpec%` can be found [online](https://en.wikipedia.org/wiki/COMSPEC).

    More information on Go's `PATH`-based lookup changes can be found [here](https://go.dev/blog/path-security), [here](https://go.dev/doc/go1.19#os-exec-path), and [here](https://github.com/golang/go/issues/43947).

    A [similar issue](https://github.com/python/cpython/issues/101283) that was addressed within the Python subprocess module also provides additional discussion.
ghsas:
  - GHSA-fwj4-72fm-c93g
references:
  - advisory: https://github.com/mutagen-io/mutagen/security/advisories/GHSA-fwj4-72fm-c93g
  - advisory: https://github.com/advisories/GHSA-fwj4-72fm-c93g

[gopherbot]

Change https://go.dev/cl/493895 mentions this issue: data/excluded: batch add GO-2023-1763, GO-2023-1764, GO-2023-1761, GO-2023-1758, GO-2023-1754

[gopherbot]

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606785 mentions this issue: data/reports: unexclude 20 reports (5)