[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773796: marked as done (wheezy-pu: package mercurial/2.2.2-4)

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #773796,
regarding wheezy-pu: package mercurial/2.2.2-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773796
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in
handling case-sensitive directories allow for remote code execution on
pull).  The security team says that few users are affected by it as it
only affects you if you are running on a case-sensitive filesystem.
They say it should go through stable-proposed-updates.

Upstream has said that three patches[1] need to be backported to fix
it.  I've done it for wheezy and prepared an upload, see the attached
debdiff against the current version in wheezy: 2.2.2-3.

[0] https://security-tracker.debian.org/tracker/CVE-2014-9390
[1] http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru mercurial-2.2.2/debian/changelog mercurial-2.2.2/debian/changelog
--- mercurial-2.2.2/debian/changelog	2013-02-23 20:53:41.000000000 +0100
+++ mercurial-2.2.2/debian/changelog	2014-12-23 12:42:25.000000000 +0100
@@ -1,3 +1,10 @@
+mercurial (2.2.2-4) stable; urgency=high
+
+  * Security update for CVE-2014-9390: errors in handling case-sensitive
+    directories allow for remote code execution on pull.
+
+ -- Javi Merino <vicho@debian.org>  Tue, 23 Dec 2014 12:42:20 +0100
+
 mercurial (2.2.2-3) unstable; urgency=low
 
   * Fix "Backport improvement to vimdiff configuration" by adding
diff -Nru mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
--- mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch	1970-01-01 01:00:00.000000000 +0100
+++ mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch	2014-12-23 10:33:58.000000000 +0100
@@ -0,0 +1,43 @@
+Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
+Description: encoding: add hfsignoreclean to clean out HFS-ignored characters
+ According to Apple Technote 1150 (unavailable from Apple as far as I
+ can tell, but archived in several places online), HFS+ ignores sixteen
+ specific unicode runes when doing path normalization. We need to
+ handle those cases, so this function lets us efficiently strip the
+ offending characters from a UTF-8 encoded string (which is the only
+ way it seems to matter on OS X.)
+ .
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/encoding.py
++++ b/mercurial/encoding.py
+@@ -8,6 +8,28 @@
+ import error
+ import unicodedata, locale, os
+ 
++# These unicode characters are ignored by HFS+ (Apple Technote 1150,
++# "Unicode Subtleties"), so we need to ignore them in some places for
++# sanity.
++_ignore = [unichr(int(x, 16)).encode("utf-8") for x in
++           "200c 200d 200e 200f 202a 202b 202c 202d 202e "
++           "206a 206b 206c 206d 206e 206f feff".split()]
++# verify the next function will work
++assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"])
++
++def hfsignoreclean(s):
++    """Remove codepoints ignored by HFS+ from s.
++
++    >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8'))
++    '.hg'
++    >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8'))
++    '.hg'
++    """
++    if "\xe2" in s or "\xef" in s:
++        for c in _ignore:
++            s = s.replace(c, '')
++    return s
++
+ def _getpreferredencoding():
+     '''
+     On darwin, getpreferredencoding ignores the locale environment and
diff -Nru mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
--- mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch	1970-01-01 01:00:00.000000000 +0100
+++ mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch	2014-12-23 10:33:58.000000000 +0100
@@ -0,0 +1,59 @@
+Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
+Description: pathauditor: check for codepoints ignored on OS X
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/tests/test-commit.t
++++ b/tests/test-commit.t
+@@ -216,7 +216,23 @@ subdir log
+   summary:     commit-foo-subdir
+   
+   $ cd ..
+-  $ cd ..
++
++verify pathauditor blocks evil filepaths
++  $ cat > evil-commit.py <<EOF
++  > from mercurial import ui, hg, context, node
++  > notrc = u".h\u200cg".encode('utf-8') + '/hgrc'
++  > u = ui.ui()
++  > r = hg.repository(u, '.')
++  > def filectxfn(repo, memctx, path):
++  >     return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++  > c = context.memctx(r, [r['tip'].node(), node.nullid],
++  >                    'evil', [notrc], filectxfn, 0)
++  > r.commitctx(c)
++  > EOF
++  $ $PYTHON evil-commit.py
++  $ hg co --clean tip
++  abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
++  [255]
+ 
+ Issue1049: Hg permits partial commit of merge without warning
+ 
+--- a/mercurial/scmutil.py
++++ b/mercurial/scmutil.py
+@@ -10,6 +10,9 @@ import util, error, osutil, revset, simi
+ import match as matchmod
+ import os, errno, re, stat, sys, glob
+ 
++def _lowerclean(s):
++    return encoding.hfsignoreclean(s.lower())
++
+ def nochangesfound(ui, secretlist=None):
+     '''report no changes for push/pull'''
+     if secretlist:
+@@ -102,11 +105,11 @@ class pathauditor(object):
+             raise util.Abort(_("path ends in directory separator: %s") % path)
+         parts = util.splitpath(path)
+         if (os.path.splitdrive(path)[0]
+-            or parts[0].lower() in ('.hg', '.hg.', '')
++            or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+             or os.pardir in parts):
+             raise util.Abort(_("path contains illegal component: %s") % path)
+-        if '.hg' in path.lower():
+-            lparts = [p.lower() for p in parts]
++        if '.hg' in _lowerclean(path):
++            lparts = [_lowerclean(p.lower()) for p in parts]
+             for p in '.hg', '.hg.':
+                 if p in lparts[1:]:
+                     pos = lparts.index(p)
diff -Nru mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
--- mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch	1970-01-01 01:00:00.000000000 +0100
+++ mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch	2014-12-23 10:33:58.000000000 +0100
@@ -0,0 +1,66 @@
+Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
+Description: pathauditor: check for Windows shortname aliases
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/tests/test-commit.t
++++ b/tests/test-commit.t
+@@ -234,6 +234,42 @@ verify pathauditor blocks evil filepaths
+   abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
+   [255]
+ 
++  $ hg rollback -f
++  repository tip rolled back to revision 1 (undo commit)
++  $ cat > evil-commit.py <<EOF
++  > from mercurial import ui, hg, context, node
++  > notrc = "HG~1/hgrc"
++  > u = ui.ui()
++  > r = hg.repository(u, '.')
++  > def filectxfn(repo, memctx, path):
++  >     return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++  > c = context.memctx(r, [r['tip'].node(), node.nullid],
++  >                    'evil', [notrc], filectxfn, 0)
++  > r.commitctx(c)
++  > EOF
++  $ $PYTHON evil-commit.py
++  $ hg co --clean tip
++  abort: path contains illegal component: HG~1/hgrc
++  [255]
++
++  $ hg rollback -f
++  repository tip rolled back to revision 1 (undo commit)
++  $ cat > evil-commit.py <<EOF
++  > from mercurial import ui, hg, context, node
++  > notrc = "HG8B6C~2/hgrc"
++  > u = ui.ui()
++  > r = hg.repository(u, '.')
++  > def filectxfn(repo, memctx, path):
++  >     return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++  > c = context.memctx(r, [r['tip'].node(), node.nullid],
++  >                    'evil', [notrc], filectxfn, 0)
++  > r.commitctx(c)
++  > EOF
++  $ $PYTHON evil-commit.py
++  $ hg co --clean tip
++  abort: path contains illegal component: HG8B6C~2/hgrc
++  [255]
++
+ Issue1049: Hg permits partial commit of merge without warning
+ 
+   $ cd ..
+--- a/mercurial/scmutil.py
++++ b/mercurial/scmutil.py
+@@ -108,6 +108,13 @@ class pathauditor(object):
+             or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+             or os.pardir in parts):
+             raise util.Abort(_("path contains illegal component: %s") % path)
++        # Windows shortname aliases
++        for p in parts:
++            if "~" in p:
++                first, last = p.split("~", 1)
++                if last.isdigit() and first.upper() in ["HG", "HG8B6C"]:
++                    raise util.Abort(_("path contains illegal component: %s")
++                                     % path)
+         if '.hg' in _lowerclean(path):
+             lparts = [_lowerclean(p.lower()) for p in parts]
+             for p in '.hg', '.hg.':
diff -Nru mercurial-2.2.2/debian/patches/series mercurial-2.2.2/debian/patches/series
--- mercurial-2.2.2/debian/patches/series	2013-02-23 20:31:52.000000000 +0100
+++ mercurial-2.2.2/debian/patches/series	2014-12-23 10:33:58.000000000 +0100
@@ -11,3 +11,6 @@
 from_upstream__set_vimdiff_to_check_changed.patch
 from_upstream__mergetools_vimdiff_issue_warning.patch
 from_upstream__mergetools_refine_vimdiff_warning_message.patch
+from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
+from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
+from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch

--- End Message ---
--- Begin Message --- 
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---
Reply to: