Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Dec 2016 15:16:37 -0500
From: <>
To: <>
CC: <>, <>
Subject: Re: tqdm: insecure use of git

Hash: SHA256

>> B. No third-party product should ever be executing "git log" in an unexpected
>> context. Either the user must somehow be aware that a "git log" may be
>> executed, or else the product must somehow force the use of a safe local
>> directory. Otherwise, a CVE is needed for each such product.

>> 2. You are suggesting that there is a security problem in tqdm because the
>> victim is not explicitly being told that they are executing a git command, and
>> thus they do not realize that there is a need to verify that they have a safe
>> cwd before proceeding.

No one has disputed your threat model, so we will assign an ID for
this tqdm issue: CVE-2016-10075

>> 1. You are suggesting that there is a security problem in git because the
>> risks of an attacker-controlled config file are not documented carefully
>> enough.

> No, I don't see this as a problem in git.

Does anyone know of steps that an operating-system distribution could
take to prevent this class of problem (i.e., software package A has
unusual usage expectations that make it risky for software package B
to have a dependency on A)?

Or is git in a class by itself, because its usage expectation is that
the cwd determines the location of executable programs, and anyone
writing any other software package may have to remember this special

The issue is that git is specifically designed to allow (with highest
precedence) a "repository specific configuration file" that is, on
each local system, stored in the same directory tree as the main
repository content. The example given for the CVE-2016-10075 attack
against tqdm was a "[gpg] program = " setting, which is probably not a
great example because people almost always could use the same version
of gpg for every repository. A better example is "[diff]" because
someone may need a specialized diff program if they have unusual types
of files in one repository. In other words, there is a realistic use
case for being able to configure different executable programs for
different repositories. The question is whether cwd-based
configuration is a reasonable choice.

Are the risks really much different from a hypothetical git behavior
in which (for any arbitrary cwd) it selected a diff program by doing:



- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.