From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: "Junio C Hamano" <gitster@pobox.com>,
"Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
"Git Mailing List" <git@vger.kernel.org>,
"Nguyễn Thái Ngọc Duy" <pclouds@gmail.com>
Subject: Re: PCRE v2 compile error, was Re: What's cooking in git.git (May 2017, #01; Mon, 1)
Date: Tue, 9 May 2017 00:37:14 +0000 [thread overview]
Message-ID: <20170509003714.ylwn5ezvu5h36kj7@genre.crustytoothpaste.net> (raw)
In-Reply-To: <CACBZZX4G_ThE55Gi53QJt1=9K4jQXqJ3QL8JSGpiSSSDRrKeNA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2191 bytes --]
On Tue, May 09, 2017 at 02:00:18AM +0200, Ævar Arnfjörð Bjarmason wrote:
> On Tue, May 9, 2017 at 1:32 AM, brian m. carlson
> <sandals@crustytoothpaste.net> wrote:
> > PCRE and PCRE2 also tend to have a lot of security updates, so I would
> > prefer if we didn't import them into the tree. It is far better for
> > users to use their distro's packages for PCRE, as it means they get
> > automatic security updates even if they're using an old Git.
> >
> > We shouldn't consider shipping anything with a remotely frequent history
> > of security updates in our tree, since people very frequently run old or
> > ancient versions of Git.
>
> I'm aware of its security record[1], but I wonder what threat model
> you have in mind here. I'm not aware of any parts of git (except maybe
> gitweb?) where we take regexes from untrusted sources.
>
> I.e. yes there have been DoS's & even some overflow bugs leading code
> execution in PCRE, but in the context of powering git-grep & git-log
> with PCRE this falls into the "stop hitting yourself" category.
Just because you don't drive Git with untrusted regexes doesn't mean
other people don't. It's not a good idea to require a stronger security
model than we absolutely have to, since people can and will violate it.
Think how devastating Shellshock was even though technically nobody
should provide insecure environment variables to the shell.
And, yes, gitweb does in fact call git grep. That means that git grep
must in fact be secure against untrusted regexes, or you have a remote
code execution vulnerability.
Furthermore, at work we distribute Git with all releases of our product.
We normally only do non-security updates to the last couple of releases,
but we provide security updates to all supported versions. I'm not
comfortable shipping the entirety of PCRE or PCRE2 to customers without
providing security updates, so you're going to make my job (and my
coworkers') a lot harder by shipping it. Please don't.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]
next prev parent reply other threads:[~2017-05-09 0:37 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 5:35 What's cooking in git.git (May 2017, #01; Mon, 1) Junio C Hamano
2017-05-01 14:25 ` Ævar Arnfjörð Bjarmason
2017-05-01 16:21 ` Brandon Williams
2017-05-01 17:44 ` Ævar Arnfjörð Bjarmason
2017-05-01 19:29 ` Jeff King
2017-05-01 23:21 ` Junio C Hamano
2017-05-02 8:23 ` Ævar Arnfjörð Bjarmason
2017-05-02 9:35 ` Junio C Hamano
2017-05-02 12:31 ` Ævar Arnfjörð Bjarmason
2017-05-02 11:11 ` Johannes Schindelin
2017-05-02 12:09 ` PCRE v2 compile error, was " Johannes Schindelin
2017-05-02 12:27 ` Ævar Arnfjörð Bjarmason
2017-05-02 16:05 ` Johannes Schindelin
2017-05-02 18:52 ` Ævar Arnfjörð Bjarmason
2017-05-02 20:51 ` Kevin Daudt
2017-05-02 21:16 ` Ævar Arnfjörð Bjarmason
2017-05-03 9:45 ` Johannes Schindelin
2017-05-03 11:15 ` Duy Nguyen
2017-05-03 15:10 ` Ævar Arnfjörð Bjarmason
2017-05-04 9:11 ` Johannes Schindelin
2017-05-04 10:24 ` Ævar Arnfjörð Bjarmason
2017-05-04 11:32 ` Johannes Schindelin
2017-05-04 11:53 ` Ævar Arnfjörð Bjarmason
2017-05-08 6:30 ` Ævar Arnfjörð Bjarmason
2017-05-08 7:10 ` Junio C Hamano
2017-05-08 23:32 ` brian m. carlson
2017-05-09 0:00 ` Ævar Arnfjörð Bjarmason
2017-05-09 0:37 ` brian m. carlson [this message]
2017-05-09 10:40 ` Johannes Schindelin
2017-05-09 11:29 ` Ævar Arnfjörð Bjarmason
2017-05-09 11:12 ` Ævar Arnfjörð Bjarmason
2017-05-09 14:22 ` demerphq
2017-05-09 14:46 ` Ævar Arnfjörð Bjarmason
2017-05-02 17:43 ` Brandon Williams
2017-05-02 17:49 ` Ævar Arnfjörð Bjarmason
2017-05-05 1:12 ` Ramsay Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170509003714.ylwn5ezvu5h36kj7@genre.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=Johannes.Schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=pclouds@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).