Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 25 Dec 2016 17:41:40 -0500
From: <cve-assign@...re.org>
To: <jwilk@...lk.net>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: tqdm: insecure use of git

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> But cwd might be a part of an unrelated git repository

Can you clarify the threat model for this? Our understanding is
that .git/config is not really a part of a repository that is
controlled by a remote party, e.g., see the second paragraph of the
https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
post.

Is either (or both) of these a valid interpretation of your report?

1. You are suggesting that there is a security problem in git because
the risks of an attacker-controlled config file are not documented
carefully enough. In other words, you want documentation such as
https://www.kernel.org/pub/software/scm/git/docs/git-config.html to
tell the user that they must not use a "repository specific
configuration file" that is writable by an untrusted local user.

2. You are suggesting that there is a security problem in tqdm because
the victim is not explicitly being told that they are executing a git
command, and thus they do not realize that there is a need to verify
that they have a safe cwd before proceeding.

If the latter, then do you mean that:

A. Anyone planning to explicitly enter "git log" from a shell prompt
is responsible for first verifying that the cwd is safe. It is a known
property of git that the cwd is critical to security.

B. No third-party product should ever be executing "git log" in an
unexpected context. Either the user must somehow be aware that a "git
log" may be executed, or else the product must somehow force the use
of a safe local directory. Otherwise, a CVE is needed for each such
product.

?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYYEqXAAoJEHb/MwWLVhi2hgYP/1z6ZHZTku8bMw+PFzkNfVtV
0xBjr9/4d4gvzZQfMgs4fLvKAvmTFf/vc8aTEJWpsCHnwEI+tHsoP6eVOTjW/+Kq
8OG6O01xjKHClrEAIpGM+aYCiSlk1NQSwE8kb9gANJk25rV0LNLrMF20o529WTIL
c7MciM5vnWPK8pyw5oQTfONCdjuGk7ATQ8TM8UjgNaW48Kk595rUAroD46Dx5zl5
S/S7I4AxB8p5xZVJIl0tif3FxRWCsd+Or+NigpyFkCXp09Xz4wNGJjh6DR7q5Ppg
Aw8Vg6OG1mmGbXl2qt7MDYpRiVoXMQH6wbg9tcOmv8HUabc7WucABADw05WArbHv
DP/CXIrfYiWD1xKP3anqwGb0zx1v4+2N7bWCIMktIO3RoIm579UTNATA/EH5Gk7r
XFYnA77DzevJ9ulQX+4Ryx2oiS4Fb0GBrx0tUsGM9gsXvOZtnfdSSXLg3dl5Y0mh
QrcnnSAgvS13so3nGeKWYrjGVLb/eqEhGFBNrjBGr3F+EbcxGh1+0ES2D2o6WUjj
dTFdyGsP2Pkdh02OgvLNf+Fj5ELBR+jCg05FQs5hJ7OdBYQA5gmKpELHeDPTOj7A
i8sYwn61WhuMg1Lg8ClHKCNc7pqMG1C52jDIOUhUBOt3tUfCpOyQY2+s4y2EklIo
jis4UzxON4HtAOu6x/Ae
=4l/s
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ