Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(installer): do not quote servicepath in registy #1765

Merged
merged 1 commit into from
Sep 26, 2024
Merged

fix(installer): do not quote servicepath in registy #1765

merged 1 commit into from
Sep 26, 2024

Conversation

jkroepke
Copy link
Contributor

@jkroepke jkroepke commented Sep 26, 2024
edited
Loading

PR Description

See #1764 for context

Which issue(s) this PR fixes

Fixes #1764

Notes to the Reviewer

This change reverts a fix in context of CVE-2024-8975. This change needs to be carefully reviewed.

https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996/?camp=blog&cnt=Today+we+released+Grafana&mdm=social&src=li

However, the current approach breaks any Windows Setup.

The registry value with quotes is passed to the exec.Command call from go. I needs to be check, if exec.Command is affected from c:\Program.exe as well. At least I test the potential issue on a Windows Server 2022 and everything still works as expected. The Program.exe in not called.

Bildschirmfoto 2024-09-26 um 12 28 02

PR Checklist

  • CHANGELOG.md updated
  • Documentation added
  • Tests updated
  • Config converters updated

@jkroepke jkroepke requested a review from a team as a code owner September 26, 2024 10:29
wildum
wildum approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@wildum wildum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot, we tested it and confirmed that it works and that it does not expose the CVE

ptodev
ptodev approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@ptodev ptodev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much, and apologies for this problem! We tested this by placing a custom "C:\Program.exe" executable and running Alloy's service. The "C:\Program.exe" executable isn't being started, so the bugfix doesn't have vulnerabilities.

@wildum wildum merged commit 6d87c35 into grafana:main Sep 26, 2024
15 checks passed
ptodev pushed a commit that referenced this pull request Sep 26, 2024
@jkroepke @ptodev
fix(installer): do not quote servicepath in registy (#1765)
fcf7358
@ptodev ptodev mentioned this pull request Sep 26, 2024
Merged
ptodev pushed a commit that referenced this pull request Sep 26, 2024
@jkroepke @ptodev
fix(installer): do not quote servicepath in registy (#1765)
fdc776f
@ptodev ptodev mentioned this pull request Sep 26, 2024
Merged
@wildum wildum mentioned this pull request Sep 26, 2024
Merged
ptodev added a commit that referenced this pull request Sep 26, 2024
@ptodev @jkroepke
[release/v1.3] Fix Windows installer (#1768)
88e7798 
* fix(installer): do not quote servicepath in registy (#1765)

* Update VERSION file

---------

Co-authored-by: Jan-Otto Kröpke <joe@cloudeteer.de>
ptodev added a commit that referenced this pull request Sep 26, 2024
@ptodev @jkroepke
[release/v1.4] Fix Windows installer (#1767)
f142490 
* fix(installer): do not quote servicepath in registy (#1765)

* Update VERSION

---------

Co-authored-by: Jan-Otto Kröpke <joe@cloudeteer.de>
@jkroepke jkroepke deleted the quote branch September 26, 2024 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ptodev ptodev ptodev approved these changes

@wildum wildum wildum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Alloy 1.4.0/1.3.3: Quoting issues with Windows Service
3 participants
@jkroepke @ptodev @wildum