oss-sec mailing list archives
Re: tqdm: insecure use of git
From: Jakub Wilk <jwilk () jwilk net>
Date: Tue, 27 Dec 2016 20:00:01 +0100
Can you clarify the threat model for this? Our understanding is that .git/config is not really a part of a repository that is controlled by a remote party, e.g., see the second paragraph of the https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html post.
Right; the malicious git repository would have to be created by other means than "git clone" alone.
The attack scenario I had in mind is: Alice and Mallory are local users on the same machine.Mallory creates world-readable /tmp/.git such that running "git log" against this repository compromises the user's account. Alice chdirs to /tmp (or maybe even to a subdirectory of /tmp accessible only to her), and runs a command that uses the tqdm module under the hood. tqdm executes "git log", which executes Mallory's code.
Is either (or both) of these a valid interpretation of your report?1. You are suggesting that there is a security problem in git because the risks of an attacker-controlled config file are not documented carefully enough. In other words, you want documentation such as https://www.kernel.org/pub/software/scm/git/docs/git-config.html to tell the user that they must not use a "repository specific configuration file" that is writable by an untrusted local user.
No, I don't see this as a problem in git.
2. You are suggesting that there is a security problem in tqdm because the victim is not explicitly being told that they are executing a git command, and thus they do not realize that there is a need to verify that they have a safe cwd before proceeding.
Yes.
A. Anyone planning to explicitly enter "git log" from a shell prompt is responsible for first verifying that the cwd is safe. It is a known property of git that the cwd is critical to security.
Yes.
B. No third-party product should ever be executing "git log" in an unexpected context. Either the user must somehow be aware that a "git log" may be executed, or else the product must somehow force the use of a safe local directory. Otherwise, a CVE is needed for each such product.
Yes. -- Jakub Wilk
Current thread:
- tqdm: insecure use of git Jakub Wilk (Dec 25)
- Re: tqdm: insecure use of git cve-assign (Dec 25)
- Re: tqdm: insecure use of git Jakub Wilk (Dec 27)
- Re: tqdm: insecure use of git cve-assign (Dec 28)
- Re: tqdm: insecure use of git Jakub Wilk (Dec 27)
- Re: tqdm: insecure use of git cve-assign (Dec 25)