languages/dart-sdk
languages/dart-sdk
1
0
Fork 0
mirror of https://github.com/dart-lang/sdk synced 2024-10-01 17:12:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

[release] Prepare changelog and version file for 2.3.2 and 2.3.3-dev.0.0

Browse source 
Change-Id: I13d22aaf86158b03a73304762ceef165698b055f
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/105583
Reviewed-by: Alexander Thomas <athom@google.com>
This commit is contained in:
Jonas Termansen 2019-06-11 14:17:40 +00:00
parent 3972f738ca
commit b95eed15cf
2 changed files with 33 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
CHANGELOG.md
View file

@ -1,34 +1,7 @@
## 2.3.2-dev.XX.0
## 2.3.3-dev.XX.0
(Add new changes here, and they will be copied to the change section for the
next dev version)
### Security vulnerability
* **Security improvement:** On Linux and Android, starting a process with
`Process.run`, `Process.runSync`, or `Process.start` would first search the
current directory before searching `PATH` (Issue [37101][]). This behavior
effectively put the current working directory in the front of `PATH`, even if
it wasn't in the `PATH`. This release changes that behavior to only searching
the directories in the `PATH` environment variable. Operating systems other
than Linux and Android didn't have this behavior and aren't affected by this
vulnerability.
This vulnerability could result in execution of untrusted code if a command
without a slash in its name was run inside an untrusted directory containing
an executable file with that name:
```dart
Process.run("ls", workingDirectory: "/untrusted/directory")
```
This would attempt to run `/untrusted/directory/ls` if it existed, even
though it is not in the `PATH`. It was always safe to instead use an absolute
path or a path containing a slash.
This vulnerability was introduced in Dart 2.0.0.
[37101]: https://github.com/dart-lang/sdk/issues/37101
### Core libraries
#### `dart:isolate`
@ -171,6 +144,37 @@ Updated the linter to `0.1.89`, which includes the following changes:
* **Breaking change:** The `await for` allowed `null` as a stream due to a bug
in `StreamIterator` class. This bug has now been fixed.
## 2.3.2 - 2019-06-11
This is a patch version release with a security improvement.
### Security vulnerability
* **Security improvement:** On Linux and Android, starting a process with
`Process.run`, `Process.runSync`, or `Process.start` would first search the
current directory before searching `PATH` (Issue [37101][]). This behavior
effectively put the current working directory in the front of `PATH`, even if
it wasn't in the `PATH`. This release changes that behavior to only searching
the directories in the `PATH` environment variable. Operating systems other
than Linux and Android didn't have this behavior and aren't affected by this
vulnerability.
This vulnerability could result in execution of untrusted code if a command
without a slash in its name was run inside an untrusted directory containing
an executable file with that name:
```dart
Process.run("ls", workingDirectory: "/untrusted/directory")
```
This would attempt to run `/untrusted/directory/ls` if it existed, even
though it is not in the `PATH`. It was always safe to instead use an absolute
path or a path containing a slash.
This vulnerability was introduced in Dart 2.0.0.
[37101]: https://github.com/dart-lang/sdk/issues/37101
## 2.3.1 - 2019-05-21
This is a patch version release with bug fixes.

2
tools/VERSION
View file

@ -32,7 +32,7 @@
CHANNEL be
MAJOR 2
MINOR 3
PATCH 2
PATCH 3
PRERELEASE 0
PRERELEASE_PATCH 0
ABI_VERSION 5