Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Dec 2016 15:16:37 -0500
From: <cve-assign@...re.org>
To: <jwilk@...lk.net>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: tqdm: insecure use of git

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> B. No third-party product should ever be executing "git log" in an unexpected
>> context. Either the user must somehow be aware that a "git log" may be
>> executed, or else the product must somehow force the use of a safe local
>> directory. Otherwise, a CVE is needed for each such product.

>> 2. You are suggesting that there is a security problem in tqdm because the
>> victim is not explicitly being told that they are executing a git command, and
>> thus they do not realize that there is a need to verify that they have a safe
>> cwd before proceeding.

No one has disputed your threat model, so we will assign an ID for
this tqdm issue: CVE-2016-10075


>> 1. You are suggesting that there is a security problem in git because the
>> risks of an attacker-controlled config file are not documented carefully
>> enough.

> No, I don't see this as a problem in git.

Does anyone know of steps that an operating-system distribution could
take to prevent this class of problem (i.e., software package A has
unusual usage expectations that make it risky for software package B
to have a dependency on A)?

Or is git in a class by itself, because its usage expectation is that
the cwd determines the location of executable programs, and anyone
writing any other software package may have to remember this special
fact?

The issue is that git is specifically designed to allow (with highest
precedence) a "repository specific configuration file" that is, on
each local system, stored in the same directory tree as the main
repository content. The example given for the CVE-2016-10075 attack
against tqdm was a "[gpg] program = " setting, which is probably not a
great example because people almost always could use the same version
of gpg for every repository. A better example is "[diff]" because
someone may need a specialized diff program if they have unusual types
of files in one repository. In other words, there is a realistic use
case for being able to configure different executable programs for
different repositories. The question is whether cwd-based
configuration is a reasonable choice.

Are the risks really much different from a hypothetical git behavior
in which (for any arbitrary cwd) it selected a diff program by doing:

  PATH=.:$PATH

?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYZB0jAAoJEHb/MwWLVhi2ncAP/i52gkcm/kJO0uM5znKPppXZ
YOkxjOU4HsKgEMfQLmWDUzH3Ld726/WqXd5rF4ZCRLtH6mGEI9Xo/bY6SjnZZDJl
6XZa7CcxzTCcZYY2V6rEYadig/F9oInNJez+JVzQXPAQHGsXhgGX3Qiv7Q4ZzSNC
WOmPT4i8u4I8JbuvBtdxWSeqY9oxgeBujuO+JTB5SGDUGI0CTkbnoSP9Gr9kJgg/
1fXBOLNdsmpaWJcZI/uq9k86fTN3T/xeL+Cq27KA1INvypwmM5XfSr7qr4t8SwJK
V9UxaJCUUYs06RAdngRiVsRB/HjpElZgavwnaToy7W7zK1xtIWqutR4lB4k1rBcS
0m+qxMRSagQ0CeTpNehhKPy+NNsrhdpR0CqdFbE4J6psc/Gj04Y7ZxL94CvtdeCs
WKsB69O1cBresLoszZXDXWkk/f0s8ci3xFiZDEouse7HEn48BYVTfjARB5g10IXD
fLjBmN6abvlr/3CajQt4YZ3QvWyEvrWg6yeywHvcgsyzKxcKqhnW47Uq3Jgsmur+
KyqvgSn3g5T7iBja7UutbCm+k7VyBljSlWEArjwzNqERveGPgUdauLSVbmJ0EcMp
g/3PPm86nXed/kl77Ezo7hDY5f6v0rioJVhwhGoR53UrZ5aVBc4V8FplcUK/J95c
BjzMEeGhx6IRdRA87nrR
=1kMw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.