GHSA-6fgx-x7m2-74qm: 
Rust vulnerability analysis and mitigation

A command argument injection vulnerability was discovered in tracexec's command line reconstruction feature (GHSA-6fgx-x7m2-74qm), affecting versions prior to 0.14.0. The vulnerability occurs when a traced process executes another process with environment variables that have keys starting with a dash, causing tracexec to incorrectly display the command line in a way that could lead to argument injection for the env command (GitHub Advisory).

The vulnerability manifests at the UI level when tracexec reconstructs command lines containing environment variables with keys starting with dashes. A proof of concept involves executing 'env -- -a=b bash --norc' in tracexec's TUI mode, which results in the command being incorrectly displayed as 'env -a bash -a=b _=/usr/bin/env /usr/bin/bash --norc', effectively injecting '-a=b' into env's arguments. The vulnerability is classified as Low severity with a CVSS v4 base score, requiring local access, low attack complexity, and active user interaction (GitHub Advisory).

The vulnerability has limited security impact as it primarily affects the UI display. However, if a user copies and executes the maliciously crafted command line from tracexec's output, it could lead to argument injection for various env command options including --block-signal, --default-signal, --ignore-signal, --split-string, --unset, --chdir, and --argv0 (GitHub Advisory).

Users are advised to upgrade to tracexec version 0.14.0 which contains the fix. As a workaround, users should avoid blindly copying and executing commands from tracexec that contain environment variables where the key starts with a dash. The permanent fix was implemented in pull request #118 (GitHub Advisory).