Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Dec 2016 20:00:01 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: tqdm: insecure use of git

>Can you clarify the threat model for this? Our understanding is that 
>.git/config is not really a part of a repository that is controlled by a 
>remote party, e.g., see the second paragraph of the 
>https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html 
>post.

Right; the malicious git repository would have to be created by other means 
than "git clone" alone.

The attack scenario I had in mind is:

Alice and Mallory are local users on the same machine.
Mallory creates world-readable /tmp/.git such that running "git log" against 
this repository compromises the user's account.
Alice chdirs to /tmp (or maybe even to a subdirectory of /tmp accessible only 
to her), and runs a command that uses the tqdm module under the hood. tqdm 
executes "git log", which executes Mallory's code.

>Is either (or both) of these a valid interpretation of your report?
>
>1. You are suggesting that there is a security problem in git because the 
>risks of an attacker-controlled config file are not documented carefully 
>enough. In other words, you want documentation such as 
>https://www.kernel.org/pub/software/scm/git/docs/git-config.html to tell the 
>user that they must not use a "repository specific configuration file" that is 
>writable by an untrusted local user.

No, I don't see this as a problem in git.

>2. You are suggesting that there is a security problem in tqdm because the 
>victim is not explicitly being told that they are executing a git command, and 
>thus they do not realize that there is a need to verify that they have a safe 
>cwd before proceeding.

Yes.

>A. Anyone planning to explicitly enter "git log" from a shell prompt is 
>responsible for first verifying that the cwd is safe. It is a known property 
>of git that the cwd is critical to security.

Yes.

>B. No third-party product should ever be executing "git log" in an unexpected 
>context. Either the user must somehow be aware that a "git log" may be 
>executed, or else the product must somehow force the use of a safe local 
>directory. Otherwise, a CVE is needed for each such product.

Yes.

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ