Re: squeeze update of mercurial?

[Javi Merino <vicho@debian.org>]

Hi Raphael,

On Wed, May 27, 2015 at 03:26:05PM +0200, Raphael Hertzog wrote:
> On Wed, 27 May 2015, Javi Merino wrote:
> > > If you are understaffed I'm happy to help preparing the update.  I'll
> > > hopefully have time to do it tomorrow, I'll claim the DLA when I start
> > > working on it.
> > 
> > I've prepared a package for squeeze lts that fixes CVE-2014-9462 and
> > CVE-2014-9390.  Find attached the debdiff.
> 
> The attached debdiff compares the binary packages. Usually we are
> interested by the debdiff on the source packages so that we can see what
> you have changed.

Sure, I always pass the wrong arguments to debdiff.  For completeness,
find attached the debdiff of the source packages.

> I took a quick look at the changelog and at the backported patches. I did not
> notice anything that looked like obviously wrong.

Thanks!
Javi

diff -Nru mercurial-1.6.4/debian/changelog mercurial-1.6.4/debian/changelog
--- mercurial-1.6.4/debian/changelog	2010-10-04 13:43:28.000000000 +0100
+++ mercurial-1.6.4/debian/changelog	2015-05-27 11:49:11.000000000 +0100
@@ -1,3 +1,16 @@
+mercurial (1.6.4-1+deb6u1) squeeze-lts; urgency=medium
+
+  * Fix "CVE-2014-9462" by adding patch
+    from_upstream__sshpeer_more_thorough_shell_quoting.patch
+  * Fix "CVE-2014-9390: Errors in handling case-sensitive directories
+    allow for remote code execution on pull" by adding patches
+    from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch,
+    from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
+    and
+    from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+  
+ -- Javi Merino <vicho@debian.org>  Wed, 27 May 2015 11:49:05 +0100
+
 mercurial (1.6.4-1) unstable; urgency=low
 
   * New upstream release 1.6.4 (Closes: #598850)
diff -Nru mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
--- mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch	1970-01-01 01:00:00.000000000 +0100
+++ mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch	2015-05-22 02:45:03.000000000 +0100
@@ -0,0 +1,43 @@
+Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
+Description: encoding: add hfsignoreclean to clean out HFS-ignored characters
+ According to Apple Technote 1150 (unavailable from Apple as far as I
+ can tell, but archived in several places online), HFS+ ignores sixteen
+ specific unicode runes when doing path normalization. We need to
+ handle those cases, so this function lets us efficiently strip the
+ offending characters from a UTF-8 encoded string (which is the only
+ way it seems to matter on OS X.)
+ .
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/encoding.py
++++ b/mercurial/encoding.py
+@@ -8,6 +8,28 @@
+ import error
+ import sys, unicodedata, locale, os
+ 
++# These unicode characters are ignored by HFS+ (Apple Technote 1150,
++# "Unicode Subtleties"), so we need to ignore them in some places for
++# sanity.
++_ignore = [unichr(int(x, 16)).encode("utf-8") for x in
++           "200c 200d 200e 200f 202a 202b 202c 202d 202e "
++           "206a 206b 206c 206d 206e 206f feff".split()]
++# verify the next function will work
++assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"])
++
++def hfsignoreclean(s):
++    """Remove codepoints ignored by HFS+ from s.
++
++    >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8'))
++    '.hg'
++    >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8'))
++    '.hg'
++    """
++    if "\xe2" in s or "\xef" in s:
++        for c in _ignore:
++            s = s.replace(c, '')
++    return s
++
+ def _getpreferredencoding():
+     '''
+     On darwin, getpreferredencoding ignores the locale environment and
diff -Nru mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
--- mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch	1970-01-01 01:00:00.000000000 +0100
+++ mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch	2015-05-27 10:15:35.000000000 +0100
@@ -0,0 +1,32 @@
+Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
+Description: pathauditor: check for codepoints ignored on OS X
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/util.py
++++ b/mercurial/util.py
+@@ -486,6 +486,9 @@ def copyfiles(src, dst, hardlink=None):
+ 
+     return hardlink, num
+ 
++def _lowerclean(s):
++    return encoding.hfsignoreclean(s.lower())
++
+ class path_auditor(object):
+     '''ensure that a filesystem path contains no banned components.
+     the following properties of a path are checked:
+@@ -507,11 +510,11 @@ class path_auditor(object):
+         normpath = os.path.normcase(path)
+         parts = splitpath(normpath)
+         if (os.path.splitdrive(path)[0]
+-            or parts[0].lower() in ('.hg', '.hg.', '')
++            or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+             or os.pardir in parts):
+             raise Abort(_("path contains illegal component: %s") % path)
+-        if '.hg' in path.lower():
+-            lparts = [p.lower() for p in parts]
++        if '.hg' in _lowerclean(path):
++            lparts = [_lowerclean(p.lower()) for p in parts]
+             for p in '.hg', '.hg.':
+                 if p in lparts[1:]:
+                     pos = lparts.index(p)
diff -Nru mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
--- mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch	1970-01-01 01:00:00.000000000 +0100
+++ mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch	2015-05-27 10:20:19.000000000 +0100
@@ -0,0 +1,21 @@
+Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
+Description: pathauditor: check for Windows shortname aliases
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/util.py
++++ b/mercurial/util.py
+@@ -513,6 +513,13 @@ class path_auditor(object):
+             or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+             or os.pardir in parts):
+             raise Abort(_("path contains illegal component: %s") % path)
++        # Windows shortname aliases
++        for p in parts:
++            if "~" in p:
++                first, last = p.split("~", 1)
++                if last.isdigit() and first.upper() in ["HG", "HG8B6C"]:
++                    raise Abort(_("path contains illegal component: %s")
++                                     % path)
+         if '.hg' in _lowerclean(path):
+             lparts = [_lowerclean(p.lower()) for p in parts]
+             for p in '.hg', '.hg.':
diff -Nru mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
--- mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch	1970-01-01 01:00:00.000000000 +0100
+++ mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch	2015-05-19 04:34:37.000000000 +0100
@@ -0,0 +1,35 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462.  Adapted to 1.6.4 by Javi Merino <vicho@debian.org>
+Applied-Upstream: 3.2.4
+
+--- a/mercurial/sshrepo.py
++++ b/mercurial/sshrepo.py
+@@ -20,6 +20,14 @@ class remotelock(object):
+         if self.repo:
+             self.release()
+ 
++def _serverquote(s):
++    if not s:
++        return s
++    '''quote a string for the remote shell ... which we assume is sh'''
++    if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
++        return s
++    return "'%s'" % s.replace("'", "'\\''")
++
+ class sshrepository(repo.repository):
+     def __init__(self, ui, path, create=0):
+         self._url = path
+@@ -37,7 +45,10 @@ class sshrepository(repo.repository):
+         sshcmd = self.ui.config("ui", "ssh", "ssh")
+         remotecmd = self.ui.config("ui", "remotecmd", "hg")
+ 
+-        args = util.sshargs(sshcmd, self.host, self.user, self.port)
++        args = util.sshargs(sshcmd,
++                            _serverquote(self.host),
++                            _serverquote(self.user),
++                            _serverquote(self.port))
+ 
+         if create:
+             cmd = '%s %s "%s init %s"'
diff -Nru mercurial-1.6.4/debian/patches/series mercurial-1.6.4/debian/patches/series
--- mercurial-1.6.4/debian/patches/series	2010-08-31 15:31:03.000000000 +0100
+++ mercurial-1.6.4/debian/patches/series	2015-05-22 02:44:01.000000000 +0100
@@ -7,3 +7,7 @@
 deb_specific__optional-dependencies
 proposed_upstream__correct-zeroconf-doc
 deb_specific__install-mo-fhs.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
+from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
+from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
+from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch

Attachment: signature.asc
Description: Digital signature