Update HSEC-2024-0003 with new fix

haskell · Oct 2, 2024 · d5d7caf · d5d7caf
1 parent 08a0b53
commit d5d7caf
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/advisories/hackage/process/HSEC-2024-0003.md b/advisories/hackage/process/HSEC-2024-0003.md
@@ -18,6 +18,13 @@ url = "https://kb.cert.org/vuls/id/123335"
 type = "FIX"
 url = "https://github.com/haskell/process/commit/3c419f9eeedac024c9dccce544e5a6fb587179a5"
 
+[[references]]
+type = "FIX"
+url = "https://github.com/haskell/process/commit/951b02dd95559b1a26f2456bfb97cf740ea40934"
+
+[[references]]
+type = "FIX"
+url = "https://github.com/haskell/process/commit/5fc91f5f36ed4479be2b95f04f264bb78ac8089d"
 
 [[affected]]
 package = "process"
@@ -26,7 +33,7 @@ cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
 
 [[affected.versions]]
 introduced = "1.0.0.0"
-fixed = "1.6.19.0"
+fixed = "1.6.23.0"
 ```
 
 # process: command injection via argument list on Windows
@@ -147,6 +154,10 @@ bump.  Because we expect very few (if any) users will be impacted by
 the behavioural change, the GHC team made a pragmatic decision to
 avoid the disruption that a major version bump would cause.
 
+A follow-up fix was released in ***process-1.6.23.0*** to handle batch
+scripts with paths ending in whitespace and periods and
+unescaped `%` expansions.
+
 
 ## Acknowledgements
 
@@ -158,3 +169,7 @@ Ben Gamari commited and released the fix, which was based on a
 proposal by Fraser Tweedale.  Fraser also improved the
 `System.Process` module documentation to better explain the Windows
 semantics.
+
+Security researcher **Kainan Zhang** (@4xpl0r3r) discovered and
+responsibly disclosing the issue in the first fix and the Rust
+Security Response WG coordinated the response.