On Tue, May 09, 2017 at 02:00:18AM +0200, Ævar Arnfjörð Bjarmason wrote: > On Tue, May 9, 2017 at 1:32 AM, brian m. carlson > wrote: > > PCRE and PCRE2 also tend to have a lot of security updates, so I would > > prefer if we didn't import them into the tree. It is far better for > > users to use their distro's packages for PCRE, as it means they get > > automatic security updates even if they're using an old Git. > > > > We shouldn't consider shipping anything with a remotely frequent history > > of security updates in our tree, since people very frequently run old or > > ancient versions of Git. > > I'm aware of its security record[1], but I wonder what threat model > you have in mind here. I'm not aware of any parts of git (except maybe > gitweb?) where we take regexes from untrusted sources. > > I.e. yes there have been DoS's & even some overflow bugs leading code > execution in PCRE, but in the context of powering git-grep & git-log > with PCRE this falls into the "stop hitting yourself" category. Just because you don't drive Git with untrusted regexes doesn't mean other people don't. It's not a good idea to require a stronger security model than we absolutely have to, since people can and will violate it. Think how devastating Shellshock was even though technically nobody should provide insecure environment variables to the shell. And, yes, gitweb does in fact call git grep. That means that git grep must in fact be secure against untrusted regexes, or you have a remote code execution vulnerability. Furthermore, at work we distribute Git with all releases of our product. We normally only do non-security updates to the last couple of releases, but we provide security updates to all supported versions. I'm not comfortable shipping the entirety of PCRE or PCRE2 to customers without providing security updates, so you're going to make my job (and my coworkers') a lot harder by shipping it. Please don't. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204