Date: Sun, 25 Dec 2016 17:41:40 -0500 From: <cve-assign@...re.org> To: <jwilk@...lk.net> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: tqdm: insecure use of git -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > But cwd might be a part of an unrelated git repository Can you clarify the threat model for this? Our understanding is that .git/config is not really a part of a repository that is controlled by a remote party, e.g., see the second paragraph of the https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html post. Is either (or both) of these a valid interpretation of your report? 1. You are suggesting that there is a security problem in git because the risks of an attacker-controlled config file are not documented carefully enough. In other words, you want documentation such as https://www.kernel.org/pub/software/scm/git/docs/git-config.html to tell the user that they must not use a "repository specific configuration file" that is writable by an untrusted local user. 2. You are suggesting that there is a security problem in tqdm because the victim is not explicitly being told that they are executing a git command, and thus they do not realize that there is a need to verify that they have a safe cwd before proceeding. If the latter, then do you mean that: A. Anyone planning to explicitly enter "git log" from a shell prompt is responsible for first verifying that the cwd is safe. It is a known property of git that the cwd is critical to security. B. No third-party product should ever be executing "git log" in an unexpected context. Either the user must somehow be aware that a "git log" may be executed, or else the product must somehow force the use of a safe local directory. Otherwise, a CVE is needed for each such product. ? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYYEqXAAoJEHb/MwWLVhi2hgYP/1z6ZHZTku8bMw+PFzkNfVtV 0xBjr9/4d4gvzZQfMgs4fLvKAvmTFf/vc8aTEJWpsCHnwEI+tHsoP6eVOTjW/+Kq 8OG6O01xjKHClrEAIpGM+aYCiSlk1NQSwE8kb9gANJk25rV0LNLrMF20o529WTIL c7MciM5vnWPK8pyw5oQTfONCdjuGk7ATQ8TM8UjgNaW48Kk595rUAroD46Dx5zl5 S/S7I4AxB8p5xZVJIl0tif3FxRWCsd+Or+NigpyFkCXp09Xz4wNGJjh6DR7q5Ppg Aw8Vg6OG1mmGbXl2qt7MDYpRiVoXMQH6wbg9tcOmv8HUabc7WucABADw05WArbHv DP/CXIrfYiWD1xKP3anqwGb0zx1v4+2N7bWCIMktIO3RoIm579UTNATA/EH5Gk7r XFYnA77DzevJ9ulQX+4Ryx2oiS4Fb0GBrx0tUsGM9gsXvOZtnfdSSXLg3dl5Y0mh QrcnnSAgvS13so3nGeKWYrjGVLb/eqEhGFBNrjBGr3F+EbcxGh1+0ES2D2o6WUjj dTFdyGsP2Pkdh02OgvLNf+Fj5ELBR+jCg05FQs5hJ7OdBYQA5gmKpELHeDPTOj7A i8sYwn61WhuMg1Lg8ClHKCNc7pqMG1C52jDIOUhUBOt3tUfCpOyQY2+s4y2EklIo jis4UzxON4HtAOu6x/Ae =4l/s -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.