Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 25 Dec 2016 17:41:40 -0500
From: <cve-assign@...re.org>
To: <jwilk@...lk.net>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: tqdm: insecure use of git

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> But cwd might be a part of an unrelated git repository

Can you clarify the threat model for this? Our understanding is
that .git/config is not really a part of a repository that is
controlled by a remote party, e.g., see the second paragraph of the
https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
post.

Is either (or both) of these a valid interpretation of your report?

1. You are suggesting that there is a security problem in git because
the risks of an attacker-controlled config file are not documented
carefully enough. In other words, you want documentation such as
https://www.kernel.org/pub/software/scm/git/docs/git-config.html to
tell the user that they must not use a "repository specific
configuration file" that is writable by an untrusted local user.

2. You are suggesting that there is a security problem in tqdm because
the victim is not explicitly being told that they are executing a git
command, and thus they do not realize that there is a need to verify
that they have a safe cwd before proceeding.

If the latter, then do you mean that:

A. Anyone planning to explicitly enter "git log" from a shell prompt
is responsible for first verifying that the cwd is safe. It is a known
property of git that the cwd is critical to security.

B. No third-party product should ever be executing "git log" in an
unexpected context. Either the user must somehow be aware that a "git
log" may be executed, or else the product must somehow force the use
of a safe local directory. Otherwise, a CVE is needed for each such
product.

?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYYEqXAAoJEHb/MwWLVhi2hgYP/1z6ZHZTku8bMw+PFzkNfVtV
0xBjr9/4d4gvzZQfMgs4fLvKAvmTFf/vc8aTEJWpsCHnwEI+tHsoP6eVOTjW/+Kq
8OG6O01xjKHClrEAIpGM+aYCiSlk1NQSwE8kb9gANJk25rV0LNLrMF20o529WTIL
c7MciM5vnWPK8pyw5oQTfONCdjuGk7ATQ8TM8UjgNaW48Kk595rUAroD46Dx5zl5
S/S7I4AxB8p5xZVJIl0tif3FxRWCsd+Or+NigpyFkCXp09Xz4wNGJjh6DR7q5Ppg
Aw8Vg6OG1mmGbXl2qt7MDYpRiVoXMQH6wbg9tcOmv8HUabc7WucABADw05WArbHv
DP/CXIrfYiWD1xKP3anqwGb0zx1v4+2N7bWCIMktIO3RoIm579UTNATA/EH5Gk7r
XFYnA77DzevJ9ulQX+4Ryx2oiS4Fb0GBrx0tUsGM9gsXvOZtnfdSSXLg3dl5Y0mh
QrcnnSAgvS13so3nGeKWYrjGVLb/eqEhGFBNrjBGr3F+EbcxGh1+0ES2D2o6WUjj
dTFdyGsP2Pkdh02OgvLNf+Fj5ELBR+jCg05FQs5hJ7OdBYQA5gmKpELHeDPTOj7A
i8sYwn61WhuMg1Lg8ClHKCNc7pqMG1C52jDIOUhUBOt3tUfCpOyQY2+s4y2EklIo
jis4UzxON4HtAOu6x/Ae
=4l/s
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.