-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tqdm._version: insecure use of git #328
Comments
tqdm wants to execute git for no good reason: tqdm/tqdm#328 Let's foil this plan by intermittently setting PATH to a non-existent directory.
Thanks, I was wondering how long it would take for someone to take issue with my commit hash version hack. Think we should change it so it only works with developer installs... |
Thanks for the report @jwilk. The auto commit tagging is very useful, but this is a quite serious vulnerability. @casperdcl What was the initial purpose of adding the commit hash? Was it to tag experimental releases, or to ease debugging (eg, when asking users to display the version they use)? |
CVE-2016-10075 was assigned to this bug. |
@jwilk Haha this is becoming real serious, thanks for assigning a CVE identifier! We should try to fix this ASAP, depending on what purpose @casperdcl prefer to favor, we will remove the exploit! |
"Later this day, Yahoo Inc. was hacked using tqdm as an entry point; initial investigation shows motives may be terrorism..." Are you sure it's not CVE-2014-0160? |
Sorry @lrq3000 only have intermittent access atm. Will try to look at all these issues soonish. |
That's not funny CrazyPython! I almost had a heart attack XD
Ok Casper great, thanks :)
|
…branch name Signed-off-by: Stephen L. <lrq3000@gmail.com>
Also you won't need your monkeypatch anymore (clever one BTW)! |
Yes thanks @CrazyPython , I edited my message to fix the typo! |
in general #330 seems to address the immediate problem, it kinda seem way overkill to have all that code just to know if you're in a released package or not, YMMV |
@sandrotosi I know at least of one other software that is doing a similar thing (MRTRIX3), although I'm not sure exactly how they implemented it (is it stored at compilation or is it fetched on runtime like us?). But I agree this is rarely seen, the development tracker is usually separated from the software. |
When you import
tqdm
, thetqdm._version
module executes the following command:This was meant to check if the user is running a pre-release version of tqdm.
But most of the time there's no git repo at all, so this is just waste of time.
Worse, the current working directory might be a part of an unrelated git repository, possibly a malicious one.
At least with git 2.10 or later, it's possible to craft a repo in which
git log
executes arbitrary code:The text was updated successfully, but these errors were encountered: