Debian Bug report logs -
#927674
CVE-2019-3902
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 20 Apr 2019 22:36:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions mercurial/4.0-1+deb9u1, mercurial/4.8.2-1, mercurial/4.0-1
Fixed in versions mercurial/4.9-1, mercurial/4.8.2-1+deb10u1
Done: Julien Cristau <jcristau@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#927674; Package src:mercurial.
(Sat, 20 Apr 2019 22:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Sat, 20 Apr 2019 22:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Version: 4.8.2-1
Severity: grave
Tags: security
See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
This was assigned CVE-2019-3902:
It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking
logic and write files outside a repository. This has been fixed. Users on older versions
can either disable subrepositories with [subrepos] allowed=false in their configuration
or by ensuring any cloned repositories don't contain malicious symlinks.
This is fixed in sid, but buster still has 4.8.2.
Cheers,
Moritz
Marked as fixed in versions mercurial/4.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Apr 2019 06:15:03 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Apr 2019 06:15:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 21 Apr 2019 06:15:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Apr 2019 06:15:05 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#927674.
(Sun, 21 Apr 2019 06:15:07 GMT) (full text, mbox, link).
Message #16 received at 927674-submitter@bugs.debian.org (full text, mbox, reply):
close 927674 4.9-1
thanks
Marked as found in versions mercurial/4.0-1+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Apr 2019 19:21:05 GMT) (full text, mbox, link).
Marked as found in versions mercurial/4.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Apr 2019 19:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#927674; Package src:mercurial.
(Sun, 26 May 2019 19:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Sun, 26 May 2019 19:09:02 GMT) (full text, mbox, link).
Message #25 received at 927674@bugs.debian.org (full text, mbox, reply):
On Sun, Apr 21, 2019 at 12:32:13AM +0200, Moritz Muehlenhoff wrote:
> Source: mercurial
> Version: 4.8.2-1
> Severity: grave
> Tags: security
>
> See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
>
> This was assigned CVE-2019-3902:
> It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking
> logic and write files outside a repository. This has been fixed. Users on older versions
> can either disable subrepositories with [subrepos] allowed=false in their configuration
> or by ensuring any cloned repositories don't contain malicious symlinks.
>
> This is fixed in sid, but buster still has 4.8.2.
A month later this is still unfixed in buster. Does anyone care about having this
in a stable release? Probably not, because noone cared about stretch already either:
https://security-tracker.debian.org/tracker/source-package/mercurial
If that's the case, let's drop it from buster?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#927674; Package src:mercurial.
(Tue, 28 May 2019 08:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Tue, 28 May 2019 08:51:04 GMT) (full text, mbox, link).
Message #30 received at 927674@bugs.debian.org (full text, mbox, reply):
On Sun, May 26, 2019 at 09:07:11PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Apr 21, 2019 at 12:32:13AM +0200, Moritz Muehlenhoff wrote:
> > Source: mercurial
> > Version: 4.8.2-1
> > Severity: grave
> > Tags: security
> >
> > See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
> >
> > This was assigned CVE-2019-3902:
> > It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking
> > logic and write files outside a repository. This has been fixed. Users on older versions
> > can either disable subrepositories with [subrepos] allowed=false in their configuration
> > or by ensuring any cloned repositories don't contain malicious symlinks.
> >
> > This is fixed in sid, but buster still has 4.8.2.
>
> A month later this is still unfixed in buster. Does anyone care about having this
> in a stable release? Probably not, because noone cared about stretch already either:
> https://security-tracker.debian.org/tracker/source-package/mercurial
>
So initially my hope was to get 4.9 in buster, however that failed due
to reverse deps (hg-git and tortoisehg) not being ready in time.
And since I don't read bug mail I missed your messages here.
> If that's the case, let's drop it from buster?
>
Let's not... I'll see what I can do.
Cheers,
Julien
Reply sent
to Julien Cristau <jcristau@debian.org>:
You have taken responsibility.
(Tue, 28 May 2019 13:51:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 28 May 2019 13:51:04 GMT) (full text, mbox, link).
Message #35 received at 927674-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 4.8.2-1+deb10u1
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 May 2019 15:12:35 +0200
Source: mercurial
Architecture: source
Version: 4.8.2-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Closes: 927674
Changes:
mercurial (4.8.2-1+deb10u1) buster; urgency=medium
.
* CVE-2019-3902: it was possible to use symlinks and subrepositories to
defeat Mercurial's path-checking logic and write files outside a
repository. Closes: #927674.
Checksums-Sha1:
cff0183b2698bf7a6110b68b93e723f7d5a7539e 2709 mercurial_4.8.2-1+deb10u1.dsc
d241c4a9469658335be2598efe4aa622799433ac 64940 mercurial_4.8.2-1+deb10u1.debian.tar.xz
Checksums-Sha256:
e47f77a1f9555e4648e3331100318853dc81215531a18c41f731d93383038df1 2709 mercurial_4.8.2-1+deb10u1.dsc
5673d16057e140b74c0939e509a15dc4b67e18ee71cf806e9940896a42c9130c 64940 mercurial_4.8.2-1+deb10u1.debian.tar.xz
Files:
9d22866948086cdf106def717f0510bf 2709 vcs optional mercurial_4.8.2-1+deb10u1.dsc
c5ca6e06557021f72276e4f7dbf2821d 64940 vcs optional mercurial_4.8.2-1+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAlztOXYUHGpjcmlzdGF1
QGRlYmlhbi5vcmcACgkQnbAjVVb4z60p7w/5AV8UiWVmoaGzSRIE0uffya/9BUK4
V4SFBrWpgKIyK1qYovIcghiHrgtJFB7HHwFz/ICWkNPLz0ujGJvmeV1AJaqTbVLc
Tuh84tek6wGC2+Ei9Sg0Mzs6jkznQzXppW2nbi5lBGclXP3S5jL8TxxyP4e/ZTel
uj4XesmkJNoIc2TCGQJXOBVBtq3Vit1gMFsg0dxgIoO7kxFReK62hsbvD9mZtQUP
WFV3DFlIw5p2VRtvJ5uvQvyKavOob14BWSDc6vW7Kz07iwZQCemiYRzwARoj8LuU
lU5X8lKTJ4Te+ZZlWe0jPNB0Batnha0MMqHvNq6YrRLZouAiEOHIY/f+Cf6r3kxh
LVIryr4HynHuwKEFfClb2uimKKpk2tWoT2HdjAYwPOzMP6OkQaeqCWR+GhrPJqA0
3WZuBuVzFtdcaMqEOK4PxOaK+D5RGl1WsQl3+ozkU4NzWFWXH6EfdoP35815iAbR
piTJ7xE6dpNaCXFQKnPU96cmOBT1YRU8ip7vCyiBDP3C6fBfR6mPx6jELCLwANix
95eU2BGDfGGh+JXzzEJhUCON4KIdId8uUoKoB3iDbNOkeDqzMH3zJLUGzJFPuVyB
KyOqlO3f740ofnFcn/B8SPY5ptKMNvg88SKCxmabwXOGb41Z8SnAvEwdwPq0YEl/
uYTKlMMuJWZetXU=
=tIsK
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:16:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon