Debian Bug report logs -
#773640
CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull
Reported by: Javi Merino <vicho@debian.org>
Date: Sun, 21 Dec 2014 11:39:01 UTC
Severity: important
Tags: security, upstream
Found in version mercurial/3.1.2-1
Fixed in version mercurial/3.1.2-2
Done: Javi Merino <vicho@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, vicho@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#773640; Package mercurial.
(Sun, 21 Dec 2014 11:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Javi Merino <vicho@debian.org>:
New Bug report received and forwarded. Copy sent to vicho@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Sun, 21 Dec 2014 11:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mercurial
Version: 3.1.2-1
Severity: important
Tags: security upstream
CVE-2014-9390[0][1] is a security vulnerability that affects mercurial
repositories in a case-sensitive filesystem (eg. VFAT or HFS+). It
allows for remote code execution of a specially crafted repository.
This is less severe for the average Debian installation as they are
usually set up with case-insensitive filesystems.
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
[1] https://security-tracker.debian.org/tracker/CVE-2014-9390
This affects both Wheezy and Jessie.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mercurial depends on:
ii libc6 2.19-13
ii mercurial-common 3.1.2-1
ii python 2.7.8-2
ii ucf 3.0030
Versions of packages mercurial recommends:
ii openssh-client 1:6.7p1-3
Versions of packages mercurial suggests:
pn kdiff3 | kdiff3-qt | kompare | meld | tkcvs | mgdiff <none>
pn qct <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#773640; Package mercurial.
(Sun, 21 Dec 2014 12:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Javi Merino <vicho@debian.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Sun, 21 Dec 2014 12:12:04 GMT) (full text, mbox, link).
Message #10 received at 773640@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 21, 2014 at 12:38:02PM +0100, Javi Merino wrote:
> Package: mercurial
> Version: 3.1.2-1
> Severity: important
> Tags: security upstream
>
> CVE-2014-9390[0][1] is a security vulnerability that affects mercurial
> repositories in a case-sensitive filesystem (eg. VFAT or HFS+). It
> allows for remote code execution of a specially crafted repository.
> This is less severe for the average Debian installation as they are
> usually set up with case-insensitive filesystems.
>
> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
> [1] https://security-tracker.debian.org/tracker/CVE-2014-9390
>
> This affects both Wheezy and Jessie.
In Ubuntu[0] they've fixed it by applying the following patches:
- http://selenic.com/repo/hg-stable/rev/035434b407be
- http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
- http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
- http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e
- http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
[0] https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035
[1] https://launchpadlibrarian.net/193058010/mercurial_3.1.2-1ubuntu1_source.changes
I'm working on applying the same patches.
Added tag(s) pending.
Request was from vicho@users.alioth.debian.org
to control@bugs.debian.org.
(Sun, 21 Dec 2014 20:27:14 GMT) (full text, mbox, link).
Reply sent
to Javi Merino <vicho@debian.org>:
You have taken responsibility.
(Tue, 23 Dec 2014 23:39:05 GMT) (full text, mbox, link).
Notification sent
to Javi Merino <vicho@debian.org>:
Bug acknowledged by developer.
(Tue, 23 Dec 2014 23:39:05 GMT) (full text, mbox, link).
Message #17 received at 773640-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 3.1.2-2
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javi Merino <vicho@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 23 Dec 2014 16:01:50 +0100
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source all amd64
Version: 3.1.2-2
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Javi Merino <vicho@debian.org>
Description:
mercurial - easy-to-use, scalable distributed version control system
mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 773640
Changes:
mercurial (3.1.2-2) unstable; urgency=high
.
* Fix "CVE-2014-9390: Errors in handling case-sensitive directories
allow for remote code execution on pull" by adding patches
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch,
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
and
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
(Closes: #773640)
Checksums-Sha1:
fdb10bc443c9b4df6e548c9d1f8897b31e921225 2245 mercurial_3.1.2-2.dsc
87136a9c966ac71be476fca9f79d357d3b12f975 46644 mercurial_3.1.2-2.debian.tar.xz
25d5525fa86adce65d3e4ecdcd1ce955377d4029 1598232 mercurial-common_3.1.2-2_all.deb
d9a8e8a86ca4d9db5933753ebe07a800e6cf7f99 59900 mercurial_3.1.2-2_amd64.deb
Checksums-Sha256:
6c951dddaee50880db324618700a5062c5d0791b57b443657c221d8f5a9d2ab9 2245 mercurial_3.1.2-2.dsc
5bcf0f922e1f52ab95a6b10e943879fb0652b27ab1f5c108b20fddc23873dfb1 46644 mercurial_3.1.2-2.debian.tar.xz
c03c83e02517bf6b7d9fd5d18f1e7fc39bac797abfffd026fe6d353704dc5300 1598232 mercurial-common_3.1.2-2_all.deb
20d12ef4ba8591ecdab7c25511caddbd853de0453af776ee2e4bbbe3ef718ac1 59900 mercurial_3.1.2-2_amd64.deb
Files:
24f6350a1977b3bca112fb41eeb6a7b8 2245 vcs optional mercurial_3.1.2-2.dsc
f606643dadd74cb4067bd26c6dfd4722 46644 vcs optional mercurial_3.1.2-2.debian.tar.xz
835a5e6e347e600554ffd8b8408a90f9 1598232 vcs optional mercurial-common_3.1.2-2_all.deb
2737fe53315849bc9aac5bd2f8e6801b 59900 vcs optional mercurial_3.1.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUmZLbAAoJEAe0hFJ2jTgkMYkP/AwR6FJJKHn9f4pwnc8n6NWv
f+5t/jMQS/BVS2x9qFPDv3XJ8djsxrdb8n8thuIQpAn65eEtV+Aws6Rbd5gZtBZQ
YrTxbIx/gPBIG8tAcddsGN9mR8DfyNHb6fae4RTJnqOb17HL0ji1V4L/9LGnzjP0
AsnNUBaTtlw91iPs6bNNXMTWJ2d68Q+beL1AAqAs51AqN2zrLKJPOLHVZeeBTKHw
wYiXl/XSrmz3DEo+meUDf/E+7iHkvq5hwOXY4Ihs8rmGPvuNt0XBQH14zTbng+53
TpqWA4VRVPlVxAmn3yv1HfAshef2ZH1iN0x/y2yybo6ve0uW9heJOtIxQmshw4x+
0z+sH+fiRIhIThcauF6fzFIQ/tjOHqdsO/H7OlaWECx8ZgNxZy0X8YCjPLaNnALA
ZRy1xCnlLi1i1C2H6QlxqBjDcON6yhzej7yDGQSiBoNfgdivc8XUjm9xAhVKld2Y
nLNEun8aISNTg+RTbM3RLURCpkmizZ7r63Fv4hyiTTM8C+OR5xtNLQZZwfpB9XDQ
PE+5+irl4/HvDvjt+BfuxHpTU93Y2TVDHkRhpo6Pm2brPaSMNL1Dy7JVN4ExhIEe
09CHWTPvUVXIvDmVTZN+ONKvz4JdxnPNLZ6cJw4ceMZSfvD+H+kuWyefgvkANJHH
syIMV1JlhzYyzoe8qTC8
=x+nd
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 24 Jan 2015 07:27:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:20:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon