Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN559
_____________________________________________________________________

DATE                : 29/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mesa benchmarks.yml versions prior
                                 to 3.5.1.

=====================================================================
https://github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48
_____________________________________________________________________


Checking out of untrusted code in `benchmarks.yml` workflow may lead
to code execution in privileged runner

High
jackiekazil published GHSA-3j55-5q6x-2h48 Mar 5, 2026

Package
benchmarks.yml (GitHub Actions)

Affected versions
< 3.5.1

Patched versions
> 3.5.0


Description

Summary

Checking out of untrusted code in benchmarks.yml workflow may lead
to code execution in privileged runner

Checking out of untrusted code in benchmarks.yml workflow may lead
to code execution in privileged runner (GHSL-2025-009)

The benchmarks.yml workflow checks out code from the PR branch, it
then calls pip install, as well as a python script global_benchmark.py.
However, as these scripts are based on code on the PR branch, a
malicious setup.py or a benchmarks/global_benchmark.py could be
created in the PR branch, allowing it to run arbitrary code in the
runner, which has write privileges to issues and pull-requests.


Impact

This issue may lead to code execution in runner with write
privileges.


Remediation

As the workflow only needs write privileges in the Comment PR step,
we suggest splitting the workflow into two separate workflows, as
outlined in this article by Jaroslav Lobačevski, with the first
workflow containing steps to run the benchmarks and triggered on
the lower privileged pull_request instead of pull_request_target,
as well as having its permissions set to read only.

A second workflow that contains the Comment PR step only can retain
the permissions of the original workflow, while triggered on
workflow_run from the first workflow, with the TIMING_COMPARISON
variable consumed by it as an artifact from the first workflow.


Contact

You can contact the GHSL team at securitylab@github.com, please
include a reference to GHSL-2025-009 in any communication
regarding this issue.


Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described
in more detail in our coordinated disclosure policy.


Severity
High
8.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVE ID
CVE-2026-29075

Weaknesses
No CWEs

Credits

    @jackiekazil jackiekazil Remediation verifier


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================