Skip to content

AppImage publishing relies on script hosted on another web site #3179

Closed
Closed
AppImage publishing relies on script hosted on another web site#3179
Labels
Resolution-FixedThe issue is fixed.WG-Maintainers-Buildspecific to affecting the build
Milestone
6.0.0-beta1
@SteveL-MSFT

Description

@SteveL-MSFT
SteveL-MSFT
opened on Feb 21, 2017

Merged #2082 prematurely. @lzybkr brought to my attention that his concern wasn't addressed.

https://github.com/PowerShell/PowerShell/blob/master/tools/appimage.sh#L41

Relies on

https://github.com/probonopd/AppImages/raw/e05cbebc62c86f8c602d74d9050bbfbf10df1c69/functions.sh

which internally gets and executes other scripts.

If any of these scripts are compromised, we'll run arbitrary code as part of our publishing pipeline.
We need to resolve this vulnerability before we start publishing appimages.

CC @raghushantha @andschwa @probonopd

Metadata

Metadata

Assignees

No one assigned

    Labels

    Resolution-FixedThe issue is fixed.WG-Maintainers-Buildspecific to affecting the build

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions