Mail Archives: cygwin/2026/04/20/13:22:51

William Stewart via Cygwin <cygwin AT cygwin DOT com> · Mon, 20 Apr 2026 11:21:35 -0600

On Mon, Apr 20, 2026 at 9:43 AM James Warnock wrote:

We use cygwin including installing some services via cygrunsrv. We have had
> some users run vulnerability scans which flag the installed services due to
> an unquoted service path (CWE-428 [1]). I haven't been able to find any
> discussion of this in the archives except for the "cygrunsrv -L outputs
> nothing if service paths are quoted" [2]. In that message, another user
> manually added quotes to resolve the vulnerability scan but then 'cygrunsrv
> -L' no longer listed installed services. That issue was fixed.
>
> I did come up with a simple patch (attached) that worked for my limited
> use case. But there may be considerations for global usage of which I am
> unaware.
>
> Should cygrunsrv be updated to automatically include the quotes?

Probably a good idea for a future update, if only to silence these dubious
"vulnerabilities" that get flagged by these scanners.

In the meantime, for those who might find it useful, I wrote a JScript
script that you can run as a GPO startup script that corrects this
"vulnerability" for all services on a machine (including services run by
cygrunsrv):

https://gist.github.com/Bill-Stewart/9379a8df293de418ed96ee6ea82c4459

Bill

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 63KHMoS1070552
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 63KHMoS1070552
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=c//nDXnd
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 0EF244CCCA2C
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1776705769;
	bh=zJJ4lOSsyRPCKFAYXgPkrr9ICFxElA9N17R+P1bEJwg=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=c//nDXnd4XSsVMXcpfRK5UYRQkOKcGH3vasX6iJu7ciqLK/tN27wAiXLlxfrVQE8g
	PS6YIoQ4ZGa9t9x2UAYhedQBUvd7V07nYS5+A1stC+uZb/9cPjXUQZ0vLNGCNSbPhz
	Ry3Qwx7P3glFpfmsn8E/I4oUfrCzw9d2Hgo3mQsk=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 103BE4AA6FFF
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 103BE4AA6FFF
ARC-Seal:	i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1776705721; cv=pass;
	b=DolgVRknTKKGlfwEJLf9YmDxrlR/S3un4vBrGIBNANdEFsSkyiDWGDHkqoD1ugSyA1WdClxPk0SJ5+Izr250L+obgpKpAA04AHao4IQCqaKp77U8q+BRmKoY267F9QRbgyRusA5lFYPlzzNDLOeAXwrCZ3iMzSofuCtWl9Uq6EY=
ARC-Message-Signature:	i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1776705721; c=relaxed/simple;
	bh=tVl60IC0NoSK31aynx83+PSKEXVZt0Tejo7j0S6sYVg=;
	h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
	b=m+arJusf/m3ssPgkdu4P8WH1TSGfGMOGF5aSysKjipmsA9YvzHS8thMnAmk+1PVMqOMIlvDtDU8Smbp/hU8Lt1RdDPNWg6LREyZCWfjJg7p+Mx8LKziih2AFrGiYp2L1z8/6BidghKa18Z6SQnF+TFvpppaFX5YLfJ6SeP/3hX8=
ARC-Authentication-Results:	i=2; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 103BE4AA6FFF
ARC-Seal:	i=1; a=rsa-sha256; t=1776705720; cv=none;
	d=google.com; s=arc-20240605;
	b=aO81nMrF98w0ZE1mHc4cxLVKslqorWpNLLMykwOlFf2yhUHNI96+GNpmzPjoP8oT/p
	DurpDPws5RsMfM7mwR6RbLXIpupqRJPeh3tNyQHWlFn6hFrsknInrhJWQatruhG6wjl2
	NQJ710cekYH8332IsIwbZQQVxTMZ/89ZXYQEVF+ivg39vWsq/xLNcHTqg9Gocbp/gemt
	Oq6gQZ82Uw2HXAaE8vtvw+F3tkhef+McO/uIAwIfdKJUtrnCJPQHAkbMe/gaz9Pjlpf8
	uh+tBp9DtXUUKaIocJTgsXYVDU+86ulRuqz+G3caI/ZH9HkuzomGSi5/u4DgIGVxaNQJ
	OY7g==
ARC-Message-Signature:	i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20240605;
	h=to:subject:message-id:date:from:reply-to:in-reply-to:references
	:mime-version:dkim-signature;
	bh=tVl60IC0NoSK31aynx83+PSKEXVZt0Tejo7j0S6sYVg=;
	fh=aMnbuBek7KCdkNFWnER3KJRPJu+dCdC9+WrpFQfKO4k=;
	b=RUKmuGBdaq5hwW4uC4fb/JgWyqQkAUdjQ+4MRgt3fr/DVUOapdmdKsxz9SN50zUlUX
	gz8qbwYVggKwsD+C2INJWOzGlgfwpoMLQdBdZ03vkMF6ZfqdPIH9Rth0HidriCdg+pOl
	ReGayCCIzcuLqPuz1O+xgwqz0W1aFfXPg1qsjSX3EqJ02vIBy1EqqyXYynYfmyR5Aftr
	AsiCmpvYtN6JgLrQfQa51gGkwvdJX7CgCt3ViEZIVhaNpcK6sQvhL7prTb2Vm4EhJZZ3
	ZGCgUU7vm3uuzaPJRJE8VLsectndofQXl6PaYsMOS5q+vZ8ii6R3dYjYgiqVT5LiNxIt
	6JqA==; darn=cygwin.com
ARC-Authentication-Results:	i=1; mx.google.com; arc=none
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20251104; t=1776705720; x=1777310520;
	h=to:subject:message-id:date:from:reply-to:in-reply-to:references
	:mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
	:message-id:reply-to;
	bh=tVl60IC0NoSK31aynx83+PSKEXVZt0Tejo7j0S6sYVg=;
	b=H5LjqkuoK/FhWKPst3ApQEawlaaj62sBsbrIDrMBMUV5LnUOFffBt9Ma+K9ORJDg8v
	9kVC0hXzYDvrzJMXglI9FrxIOBQaQS3LEulpHbx82NAv1u35YmNkoHYkCJNN4EGaiArB
	OLEBOvzCT3EzK22Nxgellw0wOHZb0KwMNfB0LkDXVT/tmHmVZyUWnySD76K4oE/M6wrD
	5NkYo0MiBiJjhuMRxByevj/8ZNhlz3aYTLB0oSiEnSHYzq6c/v22XHuOrWfFJP/OYwWx
	BoWPRJ6S/Kby79yzntylQ3b9n3W5QaDNPPbprMl2hh8+hkck9q8aQRf0KW4Qw0b6ayig
	+DAQ==
X-Gm-Message-State:	AOJu0Yxl6yvQp2NYqK2dNVvpKsRvToXARzIo1S/koGebRePLpBR+mpQH
	SwM5WdHBeQRlM0I3k1tIO6J3HNCILEwrIdbw0RjcfVt4cEbdvz/8iuEI2NmJKP3AUdhQFjxzTPm
	sroe5BEf9Z6A2SxwxtHOQL1U+RmbHzBCI6kEc
X-Gm-Gg:	AeBDievatDNQxGdU0W9lraXj+xt+HzfCYYEV8B8lDm8NZQHBz7WCuRXS733PP/V5/5W
	vS0GAmayDCMVWiZYez1/V47cKSjZ0Unw9CxMUUfqX9YSp9raXg2/ZELsJ3CLHyS+y0z4Yfk4f6I
	9VpNOHiLaquh1e/RVpK/6w+Jh+700S5l1b4bJn+txBr7RlZOQddpZ0VMBBDNZ46sDphqZFsruGc
	ShH1gE5ixXwnZD4qlvJo1xdmqV3og2K4prCQfULD/ylbGTNAbh/s511YO0VmB28eXR3I1JnSTVs
	Ur20Wa1W/K/rpV4x91YrSAbdRR9X4KUtfrE0E6tka7RHn/j0f4I7Au3Q+GKlLfLh6VcHfv3aNZi
	yBVUIGg==
X-Received:	by 2002:a05:690e:400d:b0:651:b40a:d6ce with SMTP id
	956f58d0204a3-653108381f8mr14244256d50.14.1776705720147; Mon, 20 Apr 2026
	10:22:00 -0700 (PDT)
MIME-Version:	1.0
References:	<SJ1PR10MB6003B9ADBEC8F87C9AC49AC3F82F2 AT SJ1PR10MB6003 DOT namprd10 DOT prod DOT outlook DOT com>
In-Reply-To:	<SJ1PR10MB6003B9ADBEC8F87C9AC49AC3F82F2@SJ1PR10MB6003.namprd10.prod.outlook.com>
Date:	Mon, 20 Apr 2026 11:21:35 -0600
X-Gm-Features:	AQROBzA84jCpYNegl6-Jcj9OKGWXH0vBaoYBYc9fuvoZRSWzD9kyQpk_S80BflU
Message-ID:	<CANV9t=TEQVuhe72zoHB9Q2Cqrd8VihRPWqnRD8B6ZnhJVpUPpg@mail.gmail.com>
Subject:	Re: cygrunsrv CWE-428
To:	"cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
X-Content-Filtered-By:	Mailman/MimeDel 2.1.30
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	William Stewart via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	bstewart AT iname DOT com
Cc:	William Stewart <abqbill AT gmail DOT com>
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 63KHMoS1070552

webmaster	delorie software privacy
Copyright � 2019 by DJ Delorie	Updated Jul 2019