DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 63KHMoS1070552 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 63KHMoS1070552 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=c//nDXnd X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0EF244CCCA2C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1776705769; bh=zJJ4lOSsyRPCKFAYXgPkrr9ICFxElA9N17R+P1bEJwg=; h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=c//nDXnd4XSsVMXcpfRK5UYRQkOKcGH3vasX6iJu7ciqLK/tN27wAiXLlxfrVQE8g PS6YIoQ4ZGa9t9x2UAYhedQBUvd7V07nYS5+A1stC+uZb/9cPjXUQZ0vLNGCNSbPhz Ry3Qwx7P3glFpfmsn8E/I4oUfrCzw9d2Hgo3mQsk= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 103BE4AA6FFF ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 103BE4AA6FFF ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1776705721; cv=pass; b=DolgVRknTKKGlfwEJLf9YmDxrlR/S3un4vBrGIBNANdEFsSkyiDWGDHkqoD1ugSyA1WdClxPk0SJ5+Izr250L+obgpKpAA04AHao4IQCqaKp77U8q+BRmKoY267F9QRbgyRusA5lFYPlzzNDLOeAXwrCZ3iMzSofuCtWl9Uq6EY= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1776705721; c=relaxed/simple; bh=tVl60IC0NoSK31aynx83+PSKEXVZt0Tejo7j0S6sYVg=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=m+arJusf/m3ssPgkdu4P8WH1TSGfGMOGF5aSysKjipmsA9YvzHS8thMnAmk+1PVMqOMIlvDtDU8Smbp/hU8Lt1RdDPNWg6LREyZCWfjJg7p+Mx8LKziih2AFrGiYp2L1z8/6BidghKa18Z6SQnF+TFvpppaFX5YLfJ6SeP/3hX8= ARC-Authentication-Results: i=2; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 103BE4AA6FFF ARC-Seal: i=1; a=rsa-sha256; t=1776705720; cv=none; d=google.com; s=arc-20240605; b=aO81nMrF98w0ZE1mHc4cxLVKslqorWpNLLMykwOlFf2yhUHNI96+GNpmzPjoP8oT/p DurpDPws5RsMfM7mwR6RbLXIpupqRJPeh3tNyQHWlFn6hFrsknInrhJWQatruhG6wjl2 NQJ710cekYH8332IsIwbZQQVxTMZ/89ZXYQEVF+ivg39vWsq/xLNcHTqg9Gocbp/gemt Oq6gQZ82Uw2HXAaE8vtvw+F3tkhef+McO/uIAwIfdKJUtrnCJPQHAkbMe/gaz9Pjlpf8 uh+tBp9DtXUUKaIocJTgsXYVDU+86ulRuqz+G3caI/ZH9HkuzomGSi5/u4DgIGVxaNQJ OY7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:dkim-signature; bh=tVl60IC0NoSK31aynx83+PSKEXVZt0Tejo7j0S6sYVg=; fh=aMnbuBek7KCdkNFWnER3KJRPJu+dCdC9+WrpFQfKO4k=; b=RUKmuGBdaq5hwW4uC4fb/JgWyqQkAUdjQ+4MRgt3fr/DVUOapdmdKsxz9SN50zUlUX gz8qbwYVggKwsD+C2INJWOzGlgfwpoMLQdBdZ03vkMF6ZfqdPIH9Rth0HidriCdg+pOl ReGayCCIzcuLqPuz1O+xgwqz0W1aFfXPg1qsjSX3EqJ02vIBy1EqqyXYynYfmyR5Aftr AsiCmpvYtN6JgLrQfQa51gGkwvdJX7CgCt3ViEZIVhaNpcK6sQvhL7prTb2Vm4EhJZZ3 ZGCgUU7vm3uuzaPJRJE8VLsectndofQXl6PaYsMOS5q+vZ8ii6R3dYjYgiqVT5LiNxIt 6JqA==; darn=cygwin.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776705720; x=1777310520; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tVl60IC0NoSK31aynx83+PSKEXVZt0Tejo7j0S6sYVg=; b=H5LjqkuoK/FhWKPst3ApQEawlaaj62sBsbrIDrMBMUV5LnUOFffBt9Ma+K9ORJDg8v 9kVC0hXzYDvrzJMXglI9FrxIOBQaQS3LEulpHbx82NAv1u35YmNkoHYkCJNN4EGaiArB OLEBOvzCT3EzK22Nxgellw0wOHZb0KwMNfB0LkDXVT/tmHmVZyUWnySD76K4oE/M6wrD 5NkYo0MiBiJjhuMRxByevj/8ZNhlz3aYTLB0oSiEnSHYzq6c/v22XHuOrWfFJP/OYwWx BoWPRJ6S/Kby79yzntylQ3b9n3W5QaDNPPbprMl2hh8+hkck9q8aQRf0KW4Qw0b6ayig +DAQ== X-Gm-Message-State: AOJu0Yxl6yvQp2NYqK2dNVvpKsRvToXARzIo1S/koGebRePLpBR+mpQH SwM5WdHBeQRlM0I3k1tIO6J3HNCILEwrIdbw0RjcfVt4cEbdvz/8iuEI2NmJKP3AUdhQFjxzTPm sroe5BEf9Z6A2SxwxtHOQL1U+RmbHzBCI6kEc X-Gm-Gg: AeBDievatDNQxGdU0W9lraXj+xt+HzfCYYEV8B8lDm8NZQHBz7WCuRXS733PP/V5/5W vS0GAmayDCMVWiZYez1/V47cKSjZ0Unw9CxMUUfqX9YSp9raXg2/ZELsJ3CLHyS+y0z4Yfk4f6I 9VpNOHiLaquh1e/RVpK/6w+Jh+700S5l1b4bJn+txBr7RlZOQddpZ0VMBBDNZ46sDphqZFsruGc ShH1gE5ixXwnZD4qlvJo1xdmqV3og2K4prCQfULD/ylbGTNAbh/s511YO0VmB28eXR3I1JnSTVs Ur20Wa1W/K/rpV4x91YrSAbdRR9X4KUtfrE0E6tka7RHn/j0f4I7Au3Q+GKlLfLh6VcHfv3aNZi yBVUIGg== X-Received: by 2002:a05:690e:400d:b0:651:b40a:d6ce with SMTP id 956f58d0204a3-653108381f8mr14244256d50.14.1776705720147; Mon, 20 Apr 2026 10:22:00 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 20 Apr 2026 11:21:35 -0600 X-Gm-Features: AQROBzA84jCpYNegl6-Jcj9OKGWXH0vBaoYBYc9fuvoZRSWzD9kyQpk_S80BflU Message-ID: Subject: Re: cygrunsrv CWE-428 To: "cygwin AT cygwin DOT com" X-Content-Filtered-By: Mailman/MimeDel 2.1.30 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: William Stewart via Cygwin Reply-To: bstewart AT iname DOT com Cc: William Stewart Content-Type: text/plain; charset="utf-8" Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 63KHMoS1070552 On Mon, Apr 20, 2026 at 9:43 AM James Warnock wrote: We use cygwin including installing some services via cygrunsrv. We have had > some users run vulnerability scans which flag the installed services due to > an unquoted service path (CWE-428 [1]). I haven't been able to find any > discussion of this in the archives except for the "cygrunsrv -L outputs > nothing if service paths are quoted" [2]. In that message, another user > manually added quotes to resolve the vulnerability scan but then 'cygrunsrv > -L' no longer listed installed services. That issue was fixed. > > I did come up with a simple patch (attached) that worked for my limited > use case. But there may be considerations for global usage of which I am > unaware. > > Should cygrunsrv be updated to automatically include the quotes? Probably a good idea for a future update, if only to silence these dubious "vulnerabilities" that get flagged by these scanners. In the meantime, for those who might find it useful, I wrote a JScript script that you can run as a GPO startup script that corrects this "vulnerability" for all services on a machine (including services run by cygrunsrv): https://gist.github.com/Bill-Stewart/9379a8df293de418ed96ee6ea82c4459 Bill -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple