Hi Raphael, On Wed, May 27, 2015 at 03:26:05PM +0200, Raphael Hertzog wrote: > On Wed, 27 May 2015, Javi Merino wrote: > > > If you are understaffed I'm happy to help preparing the update. I'll > > > hopefully have time to do it tomorrow, I'll claim the DLA when I start > > > working on it. > > > > I've prepared a package for squeeze lts that fixes CVE-2014-9462 and > > CVE-2014-9390. Find attached the debdiff. > > The attached debdiff compares the binary packages. Usually we are > interested by the debdiff on the source packages so that we can see what > you have changed. Sure, I always pass the wrong arguments to debdiff. For completeness, find attached the debdiff of the source packages. > I took a quick look at the changelog and at the backported patches. I did not > notice anything that looked like obviously wrong. Thanks! Javi
diff -Nru mercurial-1.6.4/debian/changelog mercurial-1.6.4/debian/changelog --- mercurial-1.6.4/debian/changelog 2010-10-04 13:43:28.000000000 +0100 +++ mercurial-1.6.4/debian/changelog 2015-05-27 11:49:11.000000000 +0100 @@ -1,3 +1,16 @@ +mercurial (1.6.4-1+deb6u1) squeeze-lts; urgency=medium + + * Fix "CVE-2014-9462" by adding patch + from_upstream__sshpeer_more_thorough_shell_quoting.patch + * Fix "CVE-2014-9390: Errors in handling case-sensitive directories + allow for remote code execution on pull" by adding patches + from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch, + from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch, + and + from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch + + -- Javi Merino <vicho@debian.org> Wed, 27 May 2015 11:49:05 +0100 + mercurial (1.6.4-1) unstable; urgency=low * New upstream release 1.6.4 (Closes: #598850) diff -Nru mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch --- mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 1970-01-01 01:00:00.000000000 +0100 +++ mercurial-1.6.4/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2015-05-22 02:45:03.000000000 +0100 @@ -0,0 +1,43 @@ +Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 +Description: encoding: add hfsignoreclean to clean out HFS-ignored characters + According to Apple Technote 1150 (unavailable from Apple as far as I + can tell, but archived in several places online), HFS+ ignores sixteen + specific unicode runes when doing path normalization. We need to + handle those cases, so this function lets us efficiently strip the + offending characters from a UTF-8 encoded string (which is the only + way it seems to matter on OS X.) + . + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/mercurial/encoding.py ++++ b/mercurial/encoding.py +@@ -8,6 +8,28 @@ + import error + import sys, unicodedata, locale, os + ++# These unicode characters are ignored by HFS+ (Apple Technote 1150, ++# "Unicode Subtleties"), so we need to ignore them in some places for ++# sanity. ++_ignore = [unichr(int(x, 16)).encode("utf-8") for x in ++ "200c 200d 200e 200f 202a 202b 202c 202d 202e " ++ "206a 206b 206c 206d 206e 206f feff".split()] ++# verify the next function will work ++assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"]) ++ ++def hfsignoreclean(s): ++ """Remove codepoints ignored by HFS+ from s. ++ ++ >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8')) ++ '.hg' ++ >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8')) ++ '.hg' ++ """ ++ if "\xe2" in s or "\xef" in s: ++ for c in _ignore: ++ s = s.replace(c, '') ++ return s ++ + def _getpreferredencoding(): + ''' + On darwin, getpreferredencoding ignores the locale environment and diff -Nru mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch --- mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 1970-01-01 01:00:00.000000000 +0100 +++ mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2015-05-27 10:15:35.000000000 +0100 @@ -0,0 +1,32 @@ +Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e +Description: pathauditor: check for codepoints ignored on OS X + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/mercurial/util.py ++++ b/mercurial/util.py +@@ -486,6 +486,9 @@ def copyfiles(src, dst, hardlink=None): + + return hardlink, num + ++def _lowerclean(s): ++ return encoding.hfsignoreclean(s.lower()) ++ + class path_auditor(object): + '''ensure that a filesystem path contains no banned components. + the following properties of a path are checked: +@@ -507,11 +510,11 @@ class path_auditor(object): + normpath = os.path.normcase(path) + parts = splitpath(normpath) + if (os.path.splitdrive(path)[0] +- or parts[0].lower() in ('.hg', '.hg.', '') ++ or _lowerclean(parts[0]) in ('.hg', '.hg.', '') + or os.pardir in parts): + raise Abort(_("path contains illegal component: %s") % path) +- if '.hg' in path.lower(): +- lparts = [p.lower() for p in parts] ++ if '.hg' in _lowerclean(path): ++ lparts = [_lowerclean(p.lower()) for p in parts] + for p in '.hg', '.hg.': + if p in lparts[1:]: + pos = lparts.index(p) diff -Nru mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch --- mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 1970-01-01 01:00:00.000000000 +0100 +++ mercurial-1.6.4/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 2015-05-27 10:20:19.000000000 +0100 @@ -0,0 +1,21 @@ +Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a +Description: pathauditor: check for Windows shortname aliases + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/mercurial/util.py ++++ b/mercurial/util.py +@@ -513,6 +513,13 @@ class path_auditor(object): + or _lowerclean(parts[0]) in ('.hg', '.hg.', '') + or os.pardir in parts): + raise Abort(_("path contains illegal component: %s") % path) ++ # Windows shortname aliases ++ for p in parts: ++ if "~" in p: ++ first, last = p.split("~", 1) ++ if last.isdigit() and first.upper() in ["HG", "HG8B6C"]: ++ raise Abort(_("path contains illegal component: %s") ++ % path) + if '.hg' in _lowerclean(path): + lparts = [_lowerclean(p.lower()) for p in parts] + for p in '.hg', '.hg.': diff -Nru mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch --- mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch 1970-01-01 01:00:00.000000000 +0100 +++ mercurial-1.6.4/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch 2015-05-19 04:34:37.000000000 +0100 @@ -0,0 +1,35 @@ +Origin: http://selenic.com/hg/rev/e3f30068d2eb +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237 +Description: sshpeer: more thorough shell quoting + This fixes CVE-2014-9462. Adapted to 1.6.4 by Javi Merino <vicho@debian.org> +Applied-Upstream: 3.2.4 + +--- a/mercurial/sshrepo.py ++++ b/mercurial/sshrepo.py +@@ -20,6 +20,14 @@ class remotelock(object): + if self.repo: + self.release() + ++def _serverquote(s): ++ if not s: ++ return s ++ '''quote a string for the remote shell ... which we assume is sh''' ++ if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s): ++ return s ++ return "'%s'" % s.replace("'", "'\\''") ++ + class sshrepository(repo.repository): + def __init__(self, ui, path, create=0): + self._url = path +@@ -37,7 +45,10 @@ class sshrepository(repo.repository): + sshcmd = self.ui.config("ui", "ssh", "ssh") + remotecmd = self.ui.config("ui", "remotecmd", "hg") + +- args = util.sshargs(sshcmd, self.host, self.user, self.port) ++ args = util.sshargs(sshcmd, ++ _serverquote(self.host), ++ _serverquote(self.user), ++ _serverquote(self.port)) + + if create: + cmd = '%s %s "%s init %s"' diff -Nru mercurial-1.6.4/debian/patches/series mercurial-1.6.4/debian/patches/series --- mercurial-1.6.4/debian/patches/series 2010-08-31 15:31:03.000000000 +0100 +++ mercurial-1.6.4/debian/patches/series 2015-05-22 02:44:01.000000000 +0100 @@ -7,3 +7,7 @@ deb_specific__optional-dependencies proposed_upstream__correct-zeroconf-doc deb_specific__install-mo-fhs.patch +from_upstream__sshpeer_more_thorough_shell_quoting.patch +from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch +from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch +from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
Attachment:
signature.asc
Description: Digital signature