Date: Tue, 27 Dec 2016 20:00:01 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: tqdm: insecure use of git >Can you clarify the threat model for this? Our understanding is that >.git/config is not really a part of a repository that is controlled by a >remote party, e.g., see the second paragraph of the >https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html >post. Right; the malicious git repository would have to be created by other means than "git clone" alone. The attack scenario I had in mind is: Alice and Mallory are local users on the same machine. Mallory creates world-readable /tmp/.git such that running "git log" against this repository compromises the user's account. Alice chdirs to /tmp (or maybe even to a subdirectory of /tmp accessible only to her), and runs a command that uses the tqdm module under the hood. tqdm executes "git log", which executes Mallory's code. >Is either (or both) of these a valid interpretation of your report? > >1. You are suggesting that there is a security problem in git because the >risks of an attacker-controlled config file are not documented carefully >enough. In other words, you want documentation such as >https://www.kernel.org/pub/software/scm/git/docs/git-config.html to tell the >user that they must not use a "repository specific configuration file" that is >writable by an untrusted local user. No, I don't see this as a problem in git. >2. You are suggesting that there is a security problem in tqdm because the >victim is not explicitly being told that they are executing a git command, and >thus they do not realize that there is a need to verify that they have a safe >cwd before proceeding. Yes. >A. Anyone planning to explicitly enter "git log" from a shell prompt is >responsible for first verifying that the cwd is safe. It is a known property >of git that the cwd is critical to security. Yes. >B. No third-party product should ever be executing "git log" in an unexpected >context. Either the user must somehow be aware that a "git log" may be >executed, or else the product must somehow force the use of a safe local >directory. Otherwise, a CVE is needed for each such product. Yes. -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ