blob: 9cf984dca9ba5f739f67cbfbde74c12140557936 [file] [log] [blame]
- module:
- fixed: 0.16.6
vulnerable_at: 0.16.5
- module:
- introduced: 0.17.0
fixed: 0.17.1
vulnerable_at: 0.17.0
- module:
- fixed: 0.17.1
vulnerable_at: 0.17.0
summary: |-
Mutagen list and monitor operations do not neutralize control characters in text
controlled by remote endpoints
description: |-
### Impact
Mutagen command line operations, as well as the log output from `mutagen daemon
run`, are susceptible to control characters that could be provided by remote
endpoints. This can cause terminal corruption, either intentional or
unintentional, if these characters are present in error messages, file
paths/names, and/or log output. This could be used as an attack vector if
synchronizing with an untrusted remote endpoint, synchronizing files not under
control of the user, or forwarding to/from an untrusted remote endpoint. On very
old systems with terminals susceptible to issues such as
[CVE-2003-0069](, the issue could
theoretically cause code execution.
### Patches
The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of
Mutagen are no longer supported and will not be patched. Versions of Mutagen
after v0.18.0 will also have the patch merged.
One caveat is that the templating functionality of Mutagen's `list` and
`monitor` commands has been only partially patched. In particular, the `json`
template function already provided escaping and no patching was necessary.
However, raw template output has been left unescaped because this raw output may
be necessary for commands which embed Mutagen. To aid these commands, a new
`shellSanitize` template function has been added which provides control
character neutralization in strings.
### Workarounds
Avoiding synchronization of untrusted files or interaction with untrusted remote
endpoints should mitigate any risk.
### References
A similar issue can be seen in kubernetes/kubernetes#101695.
- CVE-2023-30844
- GHSA-jmp2-wc4p-wfh2
- web:
- advisory:
- package:
- web:
- web:
- 'lint: redundant non-advisory reference to GHSA-jmp2-wc4p-wfh2'
- 'lint: summary is too long: 111 characters (max 100)'