mercurial: CVE-2014-9462: command injection via sshpeer._validaterepo()

Debian Bug report logs - #783237
mercurial: CVE-2014-9462: command injection via sshpeer._validaterepo()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2014-9462

Date: Fri, 24 Apr 2015 13:21:56 +0200

Package: mercurial
Severity: important
Tags: security

Please see
http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html

Fix:
http://selenic.com/hg/rev/e3f30068d2eb

Cheers,
        Moritz

Message #12 received at 783237@bugs.debian.org (full text, mbox, reply):

From: Javi Merino <vicho@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 783237@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#783237: CVE-2014-9462

Date: Fri, 1 May 2015 19:16:07 +0100

[Message part 1 (text/plain, inline)]

On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
> Package: mercurial
> Severity: important
> Tags: security
> 
> Please see
> http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
> 
> Fix:
> http://selenic.com/hg/rev/e3f30068d2eb

I've prepared a fix for this, find the diff attached.  Can I upload it
to stable-security?

Cheers,
Javi

[fix_cve_2014_9462.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 783237@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: Javi Merino <vicho@debian.org>

Cc: 783237@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#783237: CVE-2014-9462

Date: Fri, 1 May 2015 20:53:28 +0200

[Message part 1 (text/plain, inline)]

On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote:
> On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
> > Package: mercurial
> > Severity: important
> > Tags: security
> > 
> > Please see
> > http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
> > 
> > Fix:
> > http://selenic.com/hg/rev/e3f30068d2eb
> 
> I've prepared a fix for this, find the diff attached.  Can I upload it
> to stable-security?

> Index: debian/changelog
> ===================================================================
> --- debian/changelog	(revisión: 11645)
> +++ debian/changelog	(copia de trabajo)
> @@ -1,3 +1,11 @@
> +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high

Please use jessie-security instead of stable-security.

Otherwise the upload looks good. Once the above is fixed you can go ahead and
upload to security-master. Remember to build the package with full upstream
sources (dpkg-buildpackage -sa), since this would be the first upload to
jessie-security for mercurial.

Also, the vulnerability seems to affect the wheezy version as well, could you
please prepare an upload targeting wheezy-security as well?

Thanks for your help.

Cheers

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 783237@bugs.debian.org (full text, mbox, reply):

From: Javi Merino <vicho@debian.org>

To: Alessandro Ghedini <ghedo@debian.org>

Cc: 783237@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#783237: CVE-2014-9462

Date: Sat, 2 May 2015 09:04:42 +0100

[Message part 1 (text/plain, inline)]

On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote:
> On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote:
> > On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
> > > Package: mercurial
> > > Severity: important
> > > Tags: security
> > > 
> > > Please see
> > > http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
> > > 
> > > Fix:
> > > http://selenic.com/hg/rev/e3f30068d2eb
> > 
> > I've prepared a fix for this, find the diff attached.  Can I upload it
> > to stable-security?
> 
> > Index: debian/changelog
> > ===================================================================
> > --- debian/changelog	(revisión: 11645)
> > +++ debian/changelog	(copia de trabajo)
> > @@ -1,3 +1,11 @@
> > +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high
> 
> Please use jessie-security instead of stable-security.

Ok

> Otherwise the upload looks good. Once the above is fixed you can go ahead and
> upload to security-master. Remember to build the package with full upstream
> sources (dpkg-buildpackage -sa), since this would be the first upload to
> jessie-security for mercurial.

Uploaded with full upstream sources.

> Also, the vulnerability seems to affect the wheezy version as well, could you
> please prepare an upload targeting wheezy-security as well?

Sure, I'll do that soon.  Cheers,
Javi

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 783237@bugs.debian.org (full text, mbox, reply):

From: Javi Merino <vicho@debian.org>

To: team@security.debian.org

Cc: 783237@bugs.debian.org

Subject: Re: Bug#783237: CVE-2014-9462

Date: Wed, 6 May 2015 08:26:47 +0100

[Message part 1 (text/plain, inline)]

Hi Alessandro,

On Sat, May 02, 2015 at 09:04:42AM +0100, Javi Merino wrote:
> On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote:
> > On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote:
> > > On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: mercurial
> > > > Severity: important
> > > > Tags: security
> > > > 
> > > > Please see
> > > > http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
> > > > 
> > > > Fix:
> > > > http://selenic.com/hg/rev/e3f30068d2eb

[...]

> > Also, the vulnerability seems to affect the wheezy version as well, could you
> > please prepare an upload targeting wheezy-security as well?

I've prepared an upload for wheezy-security, find the diff below.  Can
I upload it to security-master?

Index: debian/changelog
===================================================================
--- debian/changelog	(revisión: 11643)
+++ debian/changelog	(copia de trabajo)
@@ -1,3 +1,11 @@
+mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high
+
+  * Fix "CVE-2014-9462" by adding patch
+    from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes:
+    #783237)
+
+ -- Javi Merino <vicho@debian.org>  Wed, 06 May 2015 08:09:26 +0100
+
 mercurial (2.2.2-4) stable; urgency=high
 
   * Security update for CVE-2014-9390: errors in handling case-sensitive
Index: debian/patches/series
===================================================================
--- debian/patches/series	(revisión: 11643)
+++ debian/patches/series	(copia de trabajo)
@@ -14,3 +14,4 @@
 from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
 from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
 from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
Index: debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===================================================================
--- debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch	(revisión: 0)
+++ debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch	(revisión: 11901)
@@ -0,0 +1,29 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462
+Applied-Upstream: 3.2.4
+
+--- a/mercurial/sshrepo.py
++++ b/mercurial/sshrepo.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+             self.release()
+ 
+ def _serverquote(s):
++    if not s:
++        return s
+     '''quote a string for the remote shell ... which we assume is sh'''
+     if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+         return s
+@@ -44,7 +46,10 @@ class sshrepository(wireproto.wirereposi
+         sshcmd = self.ui.config("ui", "ssh", "ssh")
+         remotecmd = self.ui.config("ui", "remotecmd", "hg")
+ 
+-        args = util.sshargs(sshcmd, self.host, self.user, self.port)
++        args = util.sshargs(sshcmd,
++                            _serverquote(self.host),
++                            _serverquote(self.user),
++                            _serverquote(self.port))
+ 
+         if create:
+             cmd = '%s %s %s' % (sshcmd, args,

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 783237@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Javi Merino <vicho@debian.org>

Cc: team@security.debian.org, 783237@bugs.debian.org

Subject: Re: Bug#783237: CVE-2014-9462

Date: Wed, 6 May 2015 09:31:50 +0200

On May/06, Javi Merino wrote:
> I've prepared an upload for wheezy-security, find the diff below.  Can
> I upload it to security-master?

It looks fine to me. This one will need -sa as well.

Cheers,

--Seb

Message #45 received at 783237-close@bugs.debian.org (full text, mbox, reply):

From: Javi Merino <vicho@debian.org>

To: 783237-close@bugs.debian.org

Subject: Bug#783237: fixed in mercurial 3.1.2-2+deb8u1

Date: Tue, 12 May 2015 18:47:13 +0000

Source: mercurial
Source-Version: 3.1.2-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javi Merino <vicho@debian.org> (supplier of updated mercurial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 May 2015 19:14:56 +0100
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source all amd64
Version: 3.1.2-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Javi Merino <vicho@debian.org>
Description:
 mercurial  - easy-to-use, scalable distributed version control system
 mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 783237
Changes:
 mercurial (3.1.2-2+deb8u1) jessie-security; urgency=high
 .
   * Fix "CVE-2014-9462" by adding patch
     from_upstream__sshpeer_more_thorough_shell_quoting.patch
     (Closes: #783237)
Checksums-Sha1:
 e21373a0c50dd02ab6ba565b8d7702bd44febb0b 2273 mercurial_3.1.2-2+deb8u1.dsc
 ae7e16454cee505da895c2497f09711f35287459 3983825 mercurial_3.1.2.orig.tar.gz
 4331c8b763def4561e2ace0e7de9573175ebd7e3 47096 mercurial_3.1.2-2+deb8u1.debian.tar.xz
 69377ad4e34c9075875f15dc720a1176e7be19b3 1598540 mercurial-common_3.1.2-2+deb8u1_all.deb
 055fa72a013c3ce14b526c6322504467b71b6555 59990 mercurial_3.1.2-2+deb8u1_amd64.deb
Checksums-Sha256:
 1a6ce61286da1af112f73b96fb9c67fd5ec1a0d621ada33274158c2ec27ccb78 2273 mercurial_3.1.2-2+deb8u1.dsc
 5dbe5ceb3707e378528dc9346af280919760aa1a8bcc27be12c1fe2bafa78d3a 3983825 mercurial_3.1.2.orig.tar.gz
 fd6ecfa4c47c203d1962e253d8f9f6d59696348e723f3cbe5776bfd6eb60fec3 47096 mercurial_3.1.2-2+deb8u1.debian.tar.xz
 bed5cf728c64e8a28a5c2e5ae1e1b6ed3a65c5c7f5de7c843b4de771156a224f 1598540 mercurial-common_3.1.2-2+deb8u1_all.deb
 1169bf7028353346256a08810ddda7e1a4ae819eea2b2b33c7f5b14230ae9def 59990 mercurial_3.1.2-2+deb8u1_amd64.deb
Files:
 bd817f300f1ca497f05ad277120f7bbc 2273 vcs optional mercurial_3.1.2-2+deb8u1.dsc
 72a79798de828d6d6fb055273f91201a 3983825 vcs optional mercurial_3.1.2.orig.tar.gz
 e25260951075fc566e610f946f91a525 47096 vcs optional mercurial_3.1.2-2+deb8u1.debian.tar.xz
 479e6bc6ceb5c3208173255323d94cb2 1598540 vcs optional mercurial-common_3.1.2-2+deb8u1_all.deb
 6fc572f7df99ed485d2fe94d19f98f3a 59990 vcs optional mercurial_3.1.2-2+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVRIPAAAoJEAe0hFJ2jTgk4ZkQAOhkQEOfFi0uyiw2tLt14DRO
0l/ZLxd3p+uW36P1aWy5V52Iut+y5u4MLLFUTnbmtXSsKRij+qcDo8g0UUccrMDM
YB1+nBR+37IKTvHcpLA06blpLrE+ip42h6W/rkZHpViW8ohWo+B5t7Wn9Jr7+1XF
sAg/Y2RrZYFBZr5XFNAsExF/MGyTd4QniMTL1K1MH1H5tQ4KBHQJxWYLpBVsYttC
mYyGLklKUmvJfY/WcsR72SUDAxTDWYpqCTqjow5FXkujxQtTNpfwPhSGPKTuaUzr
kfWV1uqgv8NX+Xs6d05GE2BN2VzVepRMC65IFaJF1HmKaaPH2hO6gXMUfaw7qDWu
K4pDHmWBfHM3fKT1BG5Mslz+Xh4er8dr4AsOonkOn/nyukSHnGntGIJmPVH8mG+b
S1NaKGhFMxOAQ5eo9KvIwLbCa3ytxhPEhXtGTjCVpUoOKbD1p5Mk+8o68kxLjTSL
CZGOwc90X6zQ5BThNOFR2Gc+k0rlzGAdiCo3swJh+hm8BCpzBUtl+fA1DXqdbxU9
WjVwFCReQ++/e0GAc5h4dedGffqwjOGhG9Q+MPZNmFDdBxYOE6M8YZYmEB9heyIU
PBWvdavwa87SRrEOoZNR/ZaW6MmIQoIvLrfqfg/f3rS2jtxujl9ohXZLv6WR9StQ
4GTKcL5TIFk/4m479mb0
=JqZ/
-----END PGP SIGNATURE-----

Message #50 received at 783237-close@bugs.debian.org (full text, mbox, reply):

From: Javi Merino <vicho@debian.org>

To: 783237-close@bugs.debian.org

Subject: Bug#783237: fixed in mercurial 2.2.2-4+deb7u1

Date: Tue, 12 May 2015 18:47:31 +0000

Source: mercurial
Source-Version: 2.2.2-4+deb7u1

We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javi Merino <vicho@debian.org> (supplier of updated mercurial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 06 May 2015 08:09:26 +0100
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source all amd64
Version: 2.2.2-4+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Javi Merino <vicho@debian.org>
Description: 
 mercurial  - easy-to-use, scalable distributed version control system
 mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 783237
Changes: 
 mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high
 .
   * Fix "CVE-2014-9462" by adding patch
     from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes:
     #783237)
Checksums-Sha1: 
 1cd8290d537ba4978d4e28d5828a1460046d61c3 2164 mercurial_2.2.2-4+deb7u1.dsc
 72070531f173ccb4394b227914c45678c963ebaa 3430037 mercurial_2.2.2.orig.tar.gz
 89603917e9600c09cf9323ff49b733c49fed8659 41157 mercurial_2.2.2-4+deb7u1.debian.tar.gz
 394b082769956c1d78b7532ecb6aee30373fbbc4 2325578 mercurial-common_2.2.2-4+deb7u1_all.deb
 26868d7ca78c2b23e7556014d9757efae3fc4e52 93468 mercurial_2.2.2-4+deb7u1_amd64.deb
Checksums-Sha256: 
 01c47c42c898093a3e0f2add2998d5107e304bbbdb4335b844571492c01aef00 2164 mercurial_2.2.2-4+deb7u1.dsc
 3489110ec11fefbd2cbdefb8d715d0a869cef3dd729aaf4d5141108f8be1600a 3430037 mercurial_2.2.2.orig.tar.gz
 f48016549820e1d5bab2a1480620620e409a7c302a3db29c1bef5ea4474100f6 41157 mercurial_2.2.2-4+deb7u1.debian.tar.gz
 f5c2e1a62981aad40be1ab3b19d8f35adb7d70b58265ce1e19d7b4cd53ede0fe 2325578 mercurial-common_2.2.2-4+deb7u1_all.deb
 c0013051424de41926032b2b44d08c53d41ee48f2121464da09e911819752e2b 93468 mercurial_2.2.2-4+deb7u1_amd64.deb
Files: 
 fa7c207b7bf99ed0866b61bd321315f3 2164 vcs optional mercurial_2.2.2-4+deb7u1.dsc
 9f59b5d71969cbb2671702cd2a7a5a11 3430037 vcs optional mercurial_2.2.2.orig.tar.gz
 82e3d3aa4409cf747363b86b6cbf95db 41157 vcs optional mercurial_2.2.2-4+deb7u1.debian.tar.gz
 1bd6accef7d746ef892fb0789382a223 2325578 vcs optional mercurial-common_2.2.2-4+deb7u1_all.deb
 2176a4d9d76e8c929fbf878d5a457992 93468 vcs optional mercurial_2.2.2-4+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVScEFAAoJEAe0hFJ2jTgkCHIQALBrCtS/s+MNCKlEEnciwjDt
7Gkn/3EpLsp3Wo1zKVsLLKVaWQlW9i6srp4Wn95xwzVdlKEpii9WaTPmCK04kLoe
NrXY6AsdpGwWFa9/zL+FNe8dM8IouLq6N1JHLitJq/ce4x4POmCVS6G9vf4lHgEI
39UVh4HDOir/dM9wR18jF9jXtg5FPAfFLHJ6RgX8M2xFaTmMNnSBRofPwt3KQJl9
NJwCAFdK8X5vZdVUMxjOKsD5Y48K0sgCFD+uRip1S9PYXPIpcwmcKEDHQ0kbQZsl
LPz/XeMcvoKnpRa5H8+vqfW0/iR8Tqbr7Eki8bfbFjnouKmwndaHQdJkjRsJ2Cci
5YRSSzlvbwBQ/s1lcXue+8FBCxDf+V2z6eRhi7/LmRfTw2KrHxlbKthmXOyp/R6J
E5O7gzogMohgon6XHCyAC4EyfoS6uHyCselVz7z2/+6vwUIzXBtghpaDSfJgz2me
iQfZ7slSTHF8FSZGs6VX3tp/P6XOvt63MNduUZAtTPf6JvrW6GFjI3wX5jbEg/zi
AsOq65zVTmvSPXjrBgulHtXC8Ddw27IkSz9LjZk+A4n/lbGzE/lKB6N1lzunaRDA
CNrcm6hdNoieotWx8qROpEYgdReJscGuL962KWKILTbIPEGtVAqfBHpvHwVI+7do
gOCq7EVRvknxnwWJDFII
=v3hL
-----END PGP SIGNATURE-----

Message #59 received at 783237-close@bugs.debian.org (full text, mbox, reply):

From: anonymous@euve1183.vserver.de

To: 783237-close@bugs.debian.org

Subject: New status of your UPS delivery (code: 2655961)

Date: Wed, 8 Mar 2017 10:00:26 +0300

[Message part 1 (text/plain, inline)]

Dear Customer,



We can not deliver your parcel arrived at March 05.



Please check delivery label attached!



Thanks and best regards,

Harvey Daniels,

UPS Station Agent.

[UPS-Receipt-2655961.zip (application/zip, attachment)]

Send a report that this bug log contains spam.