Impact
Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard %ComSpec% mechanism, with a fallback to a %PATH%-based search for cmd.exe. While this is the standard practice on Windows systems, it presents somewhat risky behavior.
Firstly, %ComSpec% could, in theory, be set maliciously. Unfortunately, there's not much that can be done to prevent this attack surface, because %ComSpec% is the official mechanism for shell specification on Windows. We can, however, validate that it points to an absolute path, which one would expect for a properly set value.
Secondly, a fallback to a relative cmd.exe path, resolved via %PATH%, could be risky. The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a malicious cmd.exe could been resolved in the current working directory. To mitigate this issue, Mutagen now uses the %SystemRoot% environment variable (also validated to be an absolute path) to resolve cmd.exe in the event that %ComSpec% is not set correctly.
Patches
The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.
Workarounds
Maintain control of the environment variable settings on your system, in particular the ComSpec environment variable.
References
More information on %ComSpec% can be found online.
More information on Go's PATH-based lookup changes can be found here, here, and here.
A similar issue that was addressed within the Python subprocess module also provides additional discussion.
References
Impact
Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard
%ComSpec%mechanism, with a fallback to a%PATH%-based search forcmd.exe. While this is the standard practice on Windows systems, it presents somewhat risky behavior.Firstly,
%ComSpec%could, in theory, be set maliciously. Unfortunately, there's not much that can be done to prevent this attack surface, because%ComSpec%is the official mechanism for shell specification on Windows. We can, however, validate that it points to an absolute path, which one would expect for a properly set value.Secondly, a fallback to a relative
cmd.exepath, resolved via%PATH%, could be risky. The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a maliciouscmd.execould been resolved in the current working directory. To mitigate this issue, Mutagen now uses the%SystemRoot%environment variable (also validated to be an absolute path) to resolvecmd.exein the event that%ComSpec%is not set correctly.Patches
The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.
Workarounds
Maintain control of the environment variable settings on your system, in particular the
ComSpecenvironment variable.References
More information on
%ComSpec%can be found online.More information on Go's
PATH-based lookup changes can be found here, here, and here.A similar issue that was addressed within the Python subprocess module also provides additional discussion.
References