--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package mercurial/2.2.2-4
- From: Javi Merino <vicho@debian.org>
- Date: Tue, 23 Dec 2014 13:15:47 +0100
- Message-id: <20141223121547.18763.28958.reportbug@tesla>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in
handling case-sensitive directories allow for remote code execution on
pull). The security team says that few users are affected by it as it
only affects you if you are running on a case-sensitive filesystem.
They say it should go through stable-proposed-updates.
Upstream has said that three patches[1] need to be backported to fix
it. I've done it for wheezy and prepared an upload, see the attached
debdiff against the current version in wheezy: 2.2.2-3.
[0] https://security-tracker.debian.org/tracker/CVE-2014-9390
[1] http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mercurial-2.2.2/debian/changelog mercurial-2.2.2/debian/changelog
--- mercurial-2.2.2/debian/changelog 2013-02-23 20:53:41.000000000 +0100
+++ mercurial-2.2.2/debian/changelog 2014-12-23 12:42:25.000000000 +0100
@@ -1,3 +1,10 @@
+mercurial (2.2.2-4) stable; urgency=high
+
+ * Security update for CVE-2014-9390: errors in handling case-sensitive
+ directories allow for remote code execution on pull.
+
+ -- Javi Merino <vicho@debian.org> Tue, 23 Dec 2014 12:42:20 +0100
+
mercurial (2.2.2-3) unstable; urgency=low
* Fix "Backport improvement to vimdiff configuration" by adding
diff -Nru mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
--- mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 1970-01-01 01:00:00.000000000 +0100
+++ mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2014-12-23 10:33:58.000000000 +0100
@@ -0,0 +1,43 @@
+Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
+Description: encoding: add hfsignoreclean to clean out HFS-ignored characters
+ According to Apple Technote 1150 (unavailable from Apple as far as I
+ can tell, but archived in several places online), HFS+ ignores sixteen
+ specific unicode runes when doing path normalization. We need to
+ handle those cases, so this function lets us efficiently strip the
+ offending characters from a UTF-8 encoded string (which is the only
+ way it seems to matter on OS X.)
+ .
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/encoding.py
++++ b/mercurial/encoding.py
+@@ -8,6 +8,28 @@
+ import error
+ import unicodedata, locale, os
+
++# These unicode characters are ignored by HFS+ (Apple Technote 1150,
++# "Unicode Subtleties"), so we need to ignore them in some places for
++# sanity.
++_ignore = [unichr(int(x, 16)).encode("utf-8") for x in
++ "200c 200d 200e 200f 202a 202b 202c 202d 202e "
++ "206a 206b 206c 206d 206e 206f feff".split()]
++# verify the next function will work
++assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"])
++
++def hfsignoreclean(s):
++ """Remove codepoints ignored by HFS+ from s.
++
++ >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8'))
++ '.hg'
++ >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8'))
++ '.hg'
++ """
++ if "\xe2" in s or "\xef" in s:
++ for c in _ignore:
++ s = s.replace(c, '')
++ return s
++
+ def _getpreferredencoding():
+ '''
+ On darwin, getpreferredencoding ignores the locale environment and
diff -Nru mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
--- mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 1970-01-01 01:00:00.000000000 +0100
+++ mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2014-12-23 10:33:58.000000000 +0100
@@ -0,0 +1,59 @@
+Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
+Description: pathauditor: check for codepoints ignored on OS X
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/tests/test-commit.t
++++ b/tests/test-commit.t
+@@ -216,7 +216,23 @@ subdir log
+ summary: commit-foo-subdir
+
+ $ cd ..
+- $ cd ..
++
++verify pathauditor blocks evil filepaths
++ $ cat > evil-commit.py <<EOF
++ > from mercurial import ui, hg, context, node
++ > notrc = u".h\u200cg".encode('utf-8') + '/hgrc'
++ > u = ui.ui()
++ > r = hg.repository(u, '.')
++ > def filectxfn(repo, memctx, path):
++ > return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++ > c = context.memctx(r, [r['tip'].node(), node.nullid],
++ > 'evil', [notrc], filectxfn, 0)
++ > r.commitctx(c)
++ > EOF
++ $ $PYTHON evil-commit.py
++ $ hg co --clean tip
++ abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
++ [255]
+
+ Issue1049: Hg permits partial commit of merge without warning
+
+--- a/mercurial/scmutil.py
++++ b/mercurial/scmutil.py
+@@ -10,6 +10,9 @@ import util, error, osutil, revset, simi
+ import match as matchmod
+ import os, errno, re, stat, sys, glob
+
++def _lowerclean(s):
++ return encoding.hfsignoreclean(s.lower())
++
+ def nochangesfound(ui, secretlist=None):
+ '''report no changes for push/pull'''
+ if secretlist:
+@@ -102,11 +105,11 @@ class pathauditor(object):
+ raise util.Abort(_("path ends in directory separator: %s") % path)
+ parts = util.splitpath(path)
+ if (os.path.splitdrive(path)[0]
+- or parts[0].lower() in ('.hg', '.hg.', '')
++ or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+ or os.pardir in parts):
+ raise util.Abort(_("path contains illegal component: %s") % path)
+- if '.hg' in path.lower():
+- lparts = [p.lower() for p in parts]
++ if '.hg' in _lowerclean(path):
++ lparts = [_lowerclean(p.lower()) for p in parts]
+ for p in '.hg', '.hg.':
+ if p in lparts[1:]:
+ pos = lparts.index(p)
diff -Nru mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
--- mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 1970-01-01 01:00:00.000000000 +0100
+++ mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 2014-12-23 10:33:58.000000000 +0100
@@ -0,0 +1,66 @@
+Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
+Description: pathauditor: check for Windows shortname aliases
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/tests/test-commit.t
++++ b/tests/test-commit.t
+@@ -234,6 +234,42 @@ verify pathauditor blocks evil filepaths
+ abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
+ [255]
+
++ $ hg rollback -f
++ repository tip rolled back to revision 1 (undo commit)
++ $ cat > evil-commit.py <<EOF
++ > from mercurial import ui, hg, context, node
++ > notrc = "HG~1/hgrc"
++ > u = ui.ui()
++ > r = hg.repository(u, '.')
++ > def filectxfn(repo, memctx, path):
++ > return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++ > c = context.memctx(r, [r['tip'].node(), node.nullid],
++ > 'evil', [notrc], filectxfn, 0)
++ > r.commitctx(c)
++ > EOF
++ $ $PYTHON evil-commit.py
++ $ hg co --clean tip
++ abort: path contains illegal component: HG~1/hgrc
++ [255]
++
++ $ hg rollback -f
++ repository tip rolled back to revision 1 (undo commit)
++ $ cat > evil-commit.py <<EOF
++ > from mercurial import ui, hg, context, node
++ > notrc = "HG8B6C~2/hgrc"
++ > u = ui.ui()
++ > r = hg.repository(u, '.')
++ > def filectxfn(repo, memctx, path):
++ > return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++ > c = context.memctx(r, [r['tip'].node(), node.nullid],
++ > 'evil', [notrc], filectxfn, 0)
++ > r.commitctx(c)
++ > EOF
++ $ $PYTHON evil-commit.py
++ $ hg co --clean tip
++ abort: path contains illegal component: HG8B6C~2/hgrc
++ [255]
++
+ Issue1049: Hg permits partial commit of merge without warning
+
+ $ cd ..
+--- a/mercurial/scmutil.py
++++ b/mercurial/scmutil.py
+@@ -108,6 +108,13 @@ class pathauditor(object):
+ or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+ or os.pardir in parts):
+ raise util.Abort(_("path contains illegal component: %s") % path)
++ # Windows shortname aliases
++ for p in parts:
++ if "~" in p:
++ first, last = p.split("~", 1)
++ if last.isdigit() and first.upper() in ["HG", "HG8B6C"]:
++ raise util.Abort(_("path contains illegal component: %s")
++ % path)
+ if '.hg' in _lowerclean(path):
+ lparts = [_lowerclean(p.lower()) for p in parts]
+ for p in '.hg', '.hg.':
diff -Nru mercurial-2.2.2/debian/patches/series mercurial-2.2.2/debian/patches/series
--- mercurial-2.2.2/debian/patches/series 2013-02-23 20:31:52.000000000 +0100
+++ mercurial-2.2.2/debian/patches/series 2014-12-23 10:33:58.000000000 +0100
@@ -11,3 +11,6 @@
from_upstream__set_vimdiff_to_check_changed.patch
from_upstream__mergetools_vimdiff_issue_warning.patch
from_upstream__mergetools_refine_vimdiff_warning_message.patch
+from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
+from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
+from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
--- End Message ---