Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/mutagen-io/mutagen: GHSA-jmp2-wc4p-wfh2 #1759

Closed
GoVulnBot opened this issue May 5, 2023 · 1 comment
Assignees

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-jmp2-wc4p-wfh2, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/mutagen-io/mutagen 0.17.1 >= 0.17.0, < 0.17.1

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/mutagen-io/mutagen
    versions:
      - introduced: 0.17.0
        fixed: 0.17.1
    packages:
      - package: github.com/mutagen-io/mutagen
  - module: github.com/mutagen-io/mutagen
    versions:
      - fixed: 0.17.1
    packages:
      - package: github.com/mutagen-io/mutagen-compose
  - module: github.com/mutagen-io/mutagen
    versions:
      - fixed: 0.16.6
    packages:
      - package: github.com/mutagen-io/mutagen
summary: Mutagen list and monitor operations do not neutralize control characters
    in text controlled by remote endpoints
description: |
    ### Impact

    Mutagen command line operations, as well as the log output from `mutagen daemon run`, are susceptible to control characters that could be provided by remote endpoints.  This can cause terminal corruption, either intentional or unintentional, if these characters are present in error messages, file paths/names, and/or log output.  This could be used as an attack vector if synchronizing with an untrusted remote endpoint, synchronizing files not under control of the user, or forwarding to/from an untrusted remote endpoint.  On very old systems with terminals susceptible to issues such as [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069), the issue could theoretically cause code execution.


    ### Patches

    The problem has been patched in Mutagen v0.16.6 and v0.17.1.  Earlier versions of Mutagen are no longer supported and will not be patched.  Versions of Mutagen after v0.18.0 will also have the patch merged.

    One caveat is that the templating functionality of Mutagen's `list` and `monitor` commands has been only partially patched.  In particular, the `json` template function already provided escaping and no patching was necessary.  However, raw template output has been left unescaped because this raw output may be necessary for commands which embed Mutagen.  To aid these commands, a new `shellSanitize` template function has been added which provides control character neutralization in strings.


    ### Workarounds

    Avoiding synchronization of untrusted files or interaction with untrusted remote endpoints should mitigate any risk.


    ### References

    A similar issue can be seen in kubernetes/kubernetes#101695.
cves:
  - CVE-2023-30844
ghsas:
  - GHSA-jmp2-wc4p-wfh2
references:
  - advisory: https://github.com/mutagen-io/mutagen/security/advisories/GHSA-jmp2-wc4p-wfh2
  - advisory: https://github.com/advisories/GHSA-jmp2-wc4p-wfh2

@jba jba self-assigned this May 9, 2023
@jba jba added the duplicate label May 9, 2023
@jba
Copy link
Contributor

jba commented May 9, 2023

Duplicate of #1764

@jba jba marked this as a duplicate of #1764 May 9, 2023
@jba jba closed this as completed May 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants