<div dir="ltr"><span style="font-size:12.8px">Hello,</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">While working </span><font color="#000000" style="font-size:12.8px">on <span style="font-size:14px;line-height:16px;white-space:nowrap">sqlitebrowser security (which use CMake) i've found that the installer</span><br><span style="font-size:14px;line-height:16px;white-space:nowrap"> execute an unquoted command when it call for the uninstall command.</span><br><br><span style="font-size:14px;line-height:16px;white-space:nowrap">POC Screenshot in attached file</span><br><br><span style="font-size:14px;line-height:16px;white-space:nowrap">Which allow a Privilege Escalation as described here : <a href="http://cwe.mitre.org/data/definitions/428.html" target="_blank">cwe.mitre.org/data/definitions/428.html</a></span><br><br><span style="font-size:14px;line-height:16px;white-space:nowrap">After diggin a little bit more with </span></font><span style="color:rgb(0,0,0);font-size:14px;line-height:16px;white-space:nowrap">sqlitebrowser team we found out that this line is the problem<br></span><font color="#000000" style="font-size:12.8px"><br><span style="font-size:14px;line-height:16px;white-space:nowrap"><a href="https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L916" target="_blank">https://github.com/Kitware/CMake/blob/master/Modules/NSIS.template.in#L916</a></span><br><br>This :<br></font><span style="color:rgb(51,51,51);font-family:Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;line-height:20px;white-space:pre-wrap;background-color:rgb(248,238,199)">ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file
</span><font color="#000000" style="font-size:12.8px"><br>Should be : <br><br></font><span style="color:rgb(51,51,51);font-family:Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;line-height:20px;white-space:pre-wrap;background-color:rgb(234,255,234)">+  ExecWait '</span><span style="border-radius:0.2em;color:rgb(51,51,51);font-family:Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;line-height:20px;white-space:pre-wrap;background-color:rgb(166,243,166)">"$0"</span><span style="color:rgb(51,51,51);font-family:Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;line-height:20px;white-space:pre-wrap;background-color:rgb(234,255,234)"> _?=$3' ;Do not copy the uninstaller to a temp file
</span><font color="#000000" style="font-size:12.8px"><br>Here a Patch that correct the vulnerability <br><br><a href="https://github.com/justinclift/CMake/commit/af65a04f690e1d6e6e2d3aa3467116689ab12b4f" target="_blank">https://github.com/justinclift/CMake/commit/af65a04f690e1d6e6e2d3aa3467116689ab12b4f</a><br><br>We've test this it works fine and fully correct the vulnerability :)<br><br>If you ever reward such report let me know and please, if you can, credit me for the report <br><br>Best Regards<br><br>Cyril Vallicari / Ug_0 Security</font><br></div>