{"id":"RUSTSEC-2021-0071","summary":"`grep-cli` may run arbitrary executables on Windows","details":"On Windows in versions of `grep-cli` prior to `0.1.6`, it's possible for some\nof the routines to execute arbitrary executables. In particular, a quirk of\nthe Windows process execution API is that it will automatically consider the\ncurrent directory before other directories when resolving relative binary\nnames. Therefore, if you use `grep-cli` to read decompressed files in an\nuntrusted directory with that directory as the CWD, a malicious actor to could\nput, e.g., a `gz.exe` binary in that directory and `grep-cli` will use the\nmalicious actor's version of `gz.exe` instead of the system's.\n\nThis is also technically possible on Unix as well, but only if the `PATH`\nvariable contains `.`. Conventionally, they do not.\n\nA `DecompressionReader` has been fixed to automatically resolve binary names\nusing `PATH`, instead of relying on the Windows API to do it.\n\nIf you use `grep-cli`'s `CommandReader` with a `std::process::Command` value\non Windows, then it is recommended to either construct the `Command` with an\nabsolute binary name, or use `grep-cli`'s new\n[`resolve_binary`](https://docs.rs/grep-cli/0.1.6/grep_cli/fn.resolve_binary.html)\nhelper function.\n\nTo be clear, `grep-cli 0.1.6` mitigates this issue in two ways:\n\n* A `DecompressionReader` will resolve decompression programs to absolute\npaths automatically using the `PATH` environment variable, instead of relying\non Windows APIs to do it (which would result in the undesirable behavior of\nchecking the CWD for a program first).\n* A new function, `resolve_binary`, was added to help users of this crate\nmitigate this behavior when they need to create their own\n`std::process::Command`. For example,\n[ripgrep uses `grep_cli::resolve_binary`](https://github.com/BurntSushi/ripgrep/blob/7ce66f73cf7e76e9f2557922ac8e650eb02cf4ed/crates/core/search.rs#L119-L122)\non the argument given to its `--pre` flag.\n\nWhile the first mitigation fixes this issue for sensible values of `PATH`\nwhen doing decompression search, the second mitigation is imperfect. The more\nfundamental issue is that `std::process::Command` is itself vulnerable to this.","aliases":["CVE-2021-3013","GHSA-g4xg-fxmg-vcg5"],"modified":"2023-11-08T04:05:44.745722Z","published":"2021-06-12T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/grep-cli"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0071.html"},{"type":"REPORT","url":"https://github.com/BurntSushi/ripgrep/issues/1773"}],"affected":[{"package":{"name":"grep-cli","ecosystem":"crates.io","purl":"pkg:cargo/grep-cli"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.1.6"}]}],"ecosystem_specific":{"affects":{"os":["windows"],"arch":[],"functions":["grep_cli::DecompressionReader::new"]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0071.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","informational":null,"categories":["code-execution"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}