Date: Sun, 25 Dec 2016 17:41:40 -0500 From: <cve-assign@...re.org> To: <jwilk@...lk.net> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: tqdm: insecure use of git -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > But cwd might be a part of an unrelated git repository Can you clarify the threat model for this? Our understanding is that .git/config is not really a part of a repository that is controlled by a remote party, e.g., see the second paragraph of the https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html post. Is either (or both) of these a valid interpretation of your report? 1. You are suggesting that there is a security problem in git because the risks of an attacker-controlled config file are not documented carefully enough. In other words, you want documentation such as https://www.kernel.org/pub/software/scm/git/docs/git-config.html to tell the user that they must not use a "repository specific configuration file" that is writable by an untrusted local user. 2. You are suggesting that there is a security problem in tqdm because the victim is not explicitly being told that they are executing a git command, and thus they do not realize that there is a need to verify that they have a safe cwd before proceeding. If the latter, then do you mean that: A. Anyone planning to explicitly enter "git log" from a shell prompt is responsible for first verifying that the cwd is safe. It is a known property of git that the cwd is critical to security. B. No third-party product should ever be executing "git log" in an unexpected context. Either the user must somehow be aware that a "git log" may be executed, or else the product must somehow force the use of a safe local directory. Otherwise, a CVE is needed for each such product. ? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYYEqXAAoJEHb/MwWLVhi2hgYP/1z6ZHZTku8bMw+PFzkNfVtV 0xBjr9/4d4gvzZQfMgs4fLvKAvmTFf/vc8aTEJWpsCHnwEI+tHsoP6eVOTjW/+Kq 8OG6O01xjKHClrEAIpGM+aYCiSlk1NQSwE8kb9gANJk25rV0LNLrMF20o529WTIL c7MciM5vnWPK8pyw5oQTfONCdjuGk7ATQ8TM8UjgNaW48Kk595rUAroD46Dx5zl5 S/S7I4AxB8p5xZVJIl0tif3FxRWCsd+Or+NigpyFkCXp09Xz4wNGJjh6DR7q5Ppg Aw8Vg6OG1mmGbXl2qt7MDYpRiVoXMQH6wbg9tcOmv8HUabc7WucABADw05WArbHv DP/CXIrfYiWD1xKP3anqwGb0zx1v4+2N7bWCIMktIO3RoIm579UTNATA/EH5Gk7r XFYnA77DzevJ9ulQX+4Ryx2oiS4Fb0GBrx0tUsGM9gsXvOZtnfdSSXLg3dl5Y0mh QrcnnSAgvS13so3nGeKWYrjGVLb/eqEhGFBNrjBGr3F+EbcxGh1+0ES2D2o6WUjj dTFdyGsP2Pkdh02OgvLNf+Fj5ELBR+jCg05FQs5hJ7OdBYQA5gmKpELHeDPTOj7A i8sYwn61WhuMg1Lg8ClHKCNc7pqMG1C52jDIOUhUBOt3tUfCpOyQY2+s4y2EklIo jis4UzxON4HtAOu6x/Ae =4l/s -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.