Date: Wed, 28 Dec 2016 15:16:37 -0500 From: <cve-assign@...re.org> To: <jwilk@...lk.net> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: tqdm: insecure use of git -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> B. No third-party product should ever be executing "git log" in an unexpected >> context. Either the user must somehow be aware that a "git log" may be >> executed, or else the product must somehow force the use of a safe local >> directory. Otherwise, a CVE is needed for each such product. >> 2. You are suggesting that there is a security problem in tqdm because the >> victim is not explicitly being told that they are executing a git command, and >> thus they do not realize that there is a need to verify that they have a safe >> cwd before proceeding. No one has disputed your threat model, so we will assign an ID for this tqdm issue: CVE-2016-10075 >> 1. You are suggesting that there is a security problem in git because the >> risks of an attacker-controlled config file are not documented carefully >> enough. > No, I don't see this as a problem in git. Does anyone know of steps that an operating-system distribution could take to prevent this class of problem (i.e., software package A has unusual usage expectations that make it risky for software package B to have a dependency on A)? Or is git in a class by itself, because its usage expectation is that the cwd determines the location of executable programs, and anyone writing any other software package may have to remember this special fact? The issue is that git is specifically designed to allow (with highest precedence) a "repository specific configuration file" that is, on each local system, stored in the same directory tree as the main repository content. The example given for the CVE-2016-10075 attack against tqdm was a "[gpg] program = " setting, which is probably not a great example because people almost always could use the same version of gpg for every repository. A better example is "[diff]" because someone may need a specialized diff program if they have unusual types of files in one repository. In other words, there is a realistic use case for being able to configure different executable programs for different repositories. The question is whether cwd-based configuration is a reasonable choice. Are the risks really much different from a hypothetical git behavior in which (for any arbitrary cwd) it selected a diff program by doing: PATH=.:$PATH ? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYZB0jAAoJEHb/MwWLVhi2ncAP/i52gkcm/kJO0uM5znKPppXZ YOkxjOU4HsKgEMfQLmWDUzH3Ld726/WqXd5rF4ZCRLtH6mGEI9Xo/bY6SjnZZDJl 6XZa7CcxzTCcZYY2V6rEYadig/F9oInNJez+JVzQXPAQHGsXhgGX3Qiv7Q4ZzSNC WOmPT4i8u4I8JbuvBtdxWSeqY9oxgeBujuO+JTB5SGDUGI0CTkbnoSP9Gr9kJgg/ 1fXBOLNdsmpaWJcZI/uq9k86fTN3T/xeL+Cq27KA1INvypwmM5XfSr7qr4t8SwJK V9UxaJCUUYs06RAdngRiVsRB/HjpElZgavwnaToy7W7zK1xtIWqutR4lB4k1rBcS 0m+qxMRSagQ0CeTpNehhKPy+NNsrhdpR0CqdFbE4J6psc/Gj04Y7ZxL94CvtdeCs WKsB69O1cBresLoszZXDXWkk/f0s8ci3xFiZDEouse7HEn48BYVTfjARB5g10IXD fLjBmN6abvlr/3CajQt4YZ3QvWyEvrWg6yeywHvcgsyzKxcKqhnW47Uq3Jgsmur+ KyqvgSn3g5T7iBja7UutbCm+k7VyBljSlWEArjwzNqERveGPgUdauLSVbmJ0EcMp g/3PPm86nXed/kl77Ezo7hDY5f6v0rioJVhwhGoR53UrZ5aVBc4V8FplcUK/J95c BjzMEeGhx6IRdRA87nrR =1kMw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.