CVE-2008-4297: privilege escalation

Debian Bug report logs - #500781
CVE-2008-4297: privilege escalation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2008-4297: privilege escalation

Date: Wed, 01 Oct 2008 21:49:53 +1000

Package: mercurial
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mercurial.

CVE-2008-4297[0]:
| Mercurial before 1.0.2 does not enforce the allowpull permission
| setting for a pull operation from hgweb, which allows remote attackers
| to read arbitrary files from a repository via an "hg pull" request.

I am not sure about the severity of this issue, could you please investigate it?

There might be some additional information on the rpath page[1] and the selenic
wiki[2].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4297
    http://security-tracker.debian.net/tracker/CVE-2008-4297
[1] https://issues.rpath.com/browse/RPL-2753
[2] http://www.selenic.com/mercurial/wiki/index.cgi/WhatsNew#head-905b8adb3420a77d92617e06590055bd8952e02b

Message #10 received at 500781@bugs.debian.org (full text, mbox, reply):

From: Vincent Danjean <Vincent.Danjean@ens-lyon.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 500781@bugs.debian.org

Subject: Re: Bug#500781: CVE-2008-4297: privilege escalation

Date: Thu, 02 Oct 2008 21:49:55 +0200

  Hi,

Steffen Joeris wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for mercurial.
> 
> CVE-2008-4297[0]:
> | Mercurial before 1.0.2 does not enforce the allowpull permission
> | setting for a pull operation from hgweb, which allows remote attackers
> | to read arbitrary files from a repository via an "hg pull" request.
> 
> I am not sure about the severity of this issue, could you please investigate it?

I saw it when mercurial 1.0.2 have been published. But I did not find any
specific changeset linked to this issue. If anyone (co-maintainer, user, ...)
can point me to the changeset, I can prepare a patch with it. I can also
package the whole 1.0.2 (I was waiting the lenny release to do it: RM
told me they would probably not accept this update without strong reasons [1]).
But, I'm sorry to tell that I will not have enough free time now to
look more closely to this issue and to search into the mercurial development
tree until a few weeks (too much real work for now).

  Regards,
    Vincent

[1] http://lists.debian.org/debian-release/2008/08/msg01341.html

-- 
Vincent Danjean       GPG key ID 0x9D025E87         vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main

Message #15 received at 500781@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 500781@bugs.debian.org

Subject: Re: Bug#500781: CVE-2008-4297: privilege escalation

Date: Fri, 3 Oct 2008 15:04:28 +0200

[Message part 1 (text/plain, inline)]

Hi Steffen,
* Steffen Joeris <steffen.joeris@skolelinux.de> [2008-10-01 15:59]:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for mercurial.
> 
> CVE-2008-4297[0]:
> | Mercurial before 1.0.2 does not enforce the allowpull permission
> | setting for a pull operation from hgweb, which allows remote attackers
> | to read arbitrary files from a repository via an "hg pull" request.
> 
> I am not sure about the severity of this issue, could you please investigate it?

I'd say grave would be appropriate as the repository could 
contain sensitive information that should not be pulled. The 
only thing with that is that hgweb itself is not shipped 
within the Debian package but I guess a lot of people are 
using the source package to extract the cgi script anyway.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #22 received at 500781@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nico@ngolde.de>

To: 500781@bugs.debian.org

Subject: intent to NMU

Date: Fri, 3 Oct 2008 16:33:43 +0200

[Message part 1 (text/plain, inline)]

tags 500781 + patch
thanks

Hi Vincent,
* Vincent Danjean <Vincent.Danjean@ens-lyon.org> [2008-10-03 12:15]:
> Steffen Joeris wrote:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for mercurial.
> > 
> > CVE-2008-4297[0]:
> > | Mercurial before 1.0.2 does not enforce the allowpull permission
> > | setting for a pull operation from hgweb, which allows remote attackers
> > | to read arbitrary files from a repository via an "hg pull" request.
> > 
> > I am not sure about the severity of this issue, could you please investigate it?
> 
> I saw it when mercurial 1.0.2 have been published. But I did not find any
> specific changeset linked to this issue. If anyone (co-maintainer, user, ...)
> can point me to the changeset, I can prepare a patch with it. I can also
> package the whole 1.0.2 (I was waiting the lenny release to do it: RM
> told me they would probably not accept this update without strong reasons [1]).
> But, I'm sorry to tell that I will not have enough free time now to
> look more closely to this issue and to search into the mercurial development
> tree until a few weeks (too much real work for now).

Attached is a patch for an NMU which fixes the issue.
This is upstream changeset 6630:8542fac26f63.
It is also archived on:
http://people.debian.org/~nion/nmu-diff/mercurial-1.0.1-5_1.0.1-5.1.patch 
Feel free to upload yourself if you have the time.

I also checked the diff between 1.0.1 and 1.0.2, 
6630:8542fac26f63 is included in 1.0.2 however there is an 
additional changeset which is not (6779:d3147b4e3e8a) which 
centralizes the permission handling so not every command has 
to care about this themselve. Testing my patch with a 
repository that has allowpull = fase seems to work fine:

hg clone http://bone/cgi-bin/hgwebdir.cgi/test
destination directory: test
requesting all changes
abort: HTTP Error 500: Internal Server Error

Of course the error message could be better...

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[mercurial-1.0.1-5_1.0.1-5.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #29 received at 500781@bugs.debian.org (full text, mbox, reply):

From: Vincent Danjean <Vincent.Danjean@ens-lyon.org>

To: Nico Golde <nion@debian.org>, 500781@bugs.debian.org

Subject: Re: [Python-apps-team] Bug#500781: CVE-2008-4297: privilege escalation

Date: Fri, 03 Oct 2008 15:31:46 +0200

Nico Golde wrote:
> Hi Steffen,
> * Steffen Joeris <steffen.joeris@skolelinux.de> [2008-10-01 15:59]:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for mercurial.
>>
>> CVE-2008-4297[0]:
>> | Mercurial before 1.0.2 does not enforce the allowpull permission
>> | setting for a pull operation from hgweb, which allows remote attackers
>> | to read arbitrary files from a repository via an "hg pull" request.
>>
>> I am not sure about the severity of this issue, could you please investigate it?
> 
> I'd say grave would be appropriate as the repository could 
> contain sensitive information that should not be pulled. The 
> only thing with that is that hgweb itself is not shipped 
> within the Debian package but I guess a lot of people are 
> using the source package to extract the cgi script anyway.

hgweb is not setup by default (because it needs manual editions)
But hgweb.cgi, hgwebdir.cgi, and hgwebdir.fcgi are installed in
/usr/share/doc/mercurial/examples/

  Regards,
    Vincent

> Cheers
> Nico
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Python-apps-team mailing list
> Python-apps-team@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/python-apps-team


-- 
Vincent Danjean       GPG key ID 0x9D025E87         vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main

Message #34 received at 500781@bugs.debian.org (full text, mbox, reply):

From: Vincent Danjean <vdanjean.ml@free.fr>

To: Martin Geisler <mg@daimi.au.dk>

Cc: mercurial@selenic.com, 500781@bugs.debian.org, kblake2@gmail.com

Subject: Re: ubuntu/debian repos

Date: Fri, 03 Oct 2008 15:15:28 +0200

Martin Geisler wrote:
> "Ken Blake" <kblake2@gmail.com> writes:
> 
>> I've been meaning to ask about why the Ubuntu hardy repo was so out
>> of date. It currently has v0.9.5. I googled Vincent and found this
>> page:
>> http://www-id.imag.fr/Laboratoire/Membres/Danjean_Vincent/deb.html#mercurial
>> which shows the package name to be mercurial_1.0-7~bpo40+1_i386.deb
>> which I assume means it is version 1.0.
> 
> Correct, but the "bpo" part also tells you that this is a package for
> backports.org -- a place where people upload newer versions of
> packages for the stable Debian releases.

My web page is not always uptodate... ;-)

>> But when I look at the Debian site:
>> http://packages.debian.org/etch/mercurial it lists mercurial
>> (0.9.1-1+etch4) which implies an even older version than Ubuntu.
> 
> The current stable Debian release is etch, and this was released in
> April 2007. The next stable release (the "testing" distribution called
> lenny) will contain 1.0.1:

Unless big security bugs, Debian packages of the stable release are never
updated. Currently, the stable release is etch. The next one, lenny, is in
preparation. It will have mercurial 1.0.1 because 1.0.2 has been released
after the freeze (ie near a release, packages cannot be updated in Debian
unless security bug. And only patch for this bug can be backported)

Hint: if anyone can point me to a specific changeset to fix the second
security bug fixed in 1.0.2 ("Mercurial before 1.0.2 does not enforce the
allowpull permission"), I will backport it to 1.0.1 in the next Debian
release (see http://bugs.debian.org/500781 )

>   http://packages.debian.org/search?keywords=mercurial
> 
>> So my interpretation of this is Ubuntu and Debian are not in sync
>> and Vincent has done an upgrade but it hasn't been accepted yet? I
>> don't really know how these things work.
> 
> Debian has an unstable distribution where new stuff is uploaded. After
> 14 days (normally) a package can move to the testing distribution
> provided that no new bugs were reported. Once in a while the testing
> distribution is released -- it is then called stable. Packages in
> stable receive security updates only, even if projects release newer
> versions.

It is true but near a Debian release, package cannot not be updated in 14 days
anymore.
So, for Debian :
- etch has an very old mercurial version (0.9.1) and will always keep it
- lenny (the next stable release) has version 1.0.1 (+ patch(es?) for security bugs)
- backport.org (package from lenny rebuilt for etch) has also 1.0.1
When lenny will be released (in a few weeks ?)
- etch will not change (0.9.1)
- lenny will have 1.0.1 (+ patch(es?) for security bugs)
- squeeze (the one after lenny) will have 1.0.2 and any new mercurial version
  before squeeze release
- backport.org will also have 1.0.2 for lenny (and etch if I have enough time)

I do not know how/when Ubuntu takes Debian packages to include them in Ubuntu.
(I do not follow Ubuntu development)

  Regards,
    Vincent

-- 
Vincent Danjean                 Adresse: Laboratoire d'Informatique de Grenoble
Téléphone:  +33 4 76 61 20 11            ENSIMAG - antenne de Montbonnot
Fax:        +33 4 76 61 20 99            ZIRST 51, avenue Jean Kuntzmann
Email: Vincent.Danjean@imag.fr           38330 Montbonnot Saint Martin

Message #39 received at 500781@bugs.debian.org (full text, mbox, reply):

From: "Benoit Boissinot" <bboissin@gmail.com>

To: "Vincent Danjean" <vdanjean.ml@free.fr>

Cc: "Martin Geisler" <mg@daimi.au.dk>, mercurial@selenic.com, 500781@bugs.debian.org

Subject: Re: ubuntu/debian repos

Date: Sat, 4 Oct 2008 11:03:26 +0200

On Fri, Oct 3, 2008 at 3:15 PM, Vincent Danjean <vdanjean.ml@free.fr> wrote:
> Hint: if anyone can point me to a specific changeset to fix the second
> security bug fixed in 1.0.2 ("Mercurial before 1.0.2 does not enforce the
> allowpull permission"), I will backport it to 1.0.1 in the next Debian
> release (see http://bugs.debian.org/500781 )

Maybe this one:
changeset:   6465:8542fac26f63
user:        Benoit Boissinot <benoit.boissinot@ens-lyon.org>
date:        Mon May 26 14:20:26 2008 +0200
summary:     hgweb: correctly validate permissions with streamclone pulling

regards,

Benoit

Message #44 received at 500781@bugs.debian.org (full text, mbox, reply):

From: nion@ngolde.de

To: Vincent Danjean <vdanjean.ml@free.fr>, 500781@bugs.debian.org

Cc: Martin Geisler <mg@daimi.au.dk>, mercurial@selenic.com, kblake2@gmail.com

Subject: Re: Bug#500781: ubuntu/debian repos

Date: Sat, 4 Oct 2008 12:42:52 +0200

[Message part 1 (text/plain, inline)]

Hi Vincent,
* Vincent Danjean <vdanjean.ml@free.fr> [2008-10-04 12:16]:
> Martin Geisler wrote:
[...]
> >> But when I look at the Debian site:
> >> http://packages.debian.org/etch/mercurial it lists mercurial
> >> (0.9.1-1+etch4) which implies an even older version than Ubuntu.
> > 
> > The current stable Debian release is etch, and this was released in
> > April 2007. The next stable release (the "testing" distribution called
> > lenny) will contain 1.0.1:
> 
> Unless big security bugs, Debian packages of the stable release are never
> updated. Currently, the stable release is etch. The next one, lenny, is in
> preparation. It will have mercurial 1.0.1 because 1.0.2 has been released
> after the freeze (ie near a release, packages cannot be updated in Debian
> unless security bug. And only patch for this bug can be backported)
> 
> Hint: if anyone can point me to a specific changeset to fix the second
> security bug fixed in 1.0.2 ("Mercurial before 1.0.2 does not enforce the
> allowpull permission"), I will backport it to 1.0.1 in the next Debian
> release (see http://bugs.debian.org/500781 )

Errm did you see the patch I already posted to this bug?
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500781#22

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #49 received at 500781@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Vincent Danjean <vdanjean.ml@free.fr>, 500781@bugs.debian.org

Subject: Re: Bug#500781: ubuntu/debian repos

Date: Sat, 4 Oct 2008 12:45:16 +0200

[Message part 1 (text/plain, inline)]

Hi Vincent,
* Vincent Danjean <vdanjean.ml@free.fr> [2008-10-04 12:16]:
> Martin Geisler wrote:
> > "Ken Blake" <kblake2@gmail.com> writes:
> > 
[...] 
> Hint: if anyone can point me to a specific changeset to fix the second
> security bug fixed in 1.0.2 ("Mercurial before 1.0.2 does not enforce the
> allowpull permission"), I will backport it to 1.0.1 in the next Debian
> release (see http://bugs.debian.org/500781 )

as it was not a big deal to find the patch and you seem to 
have missed the mail I already sent to the bts I uploaded 
the NMU now.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #54 received at 500781-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 500781-close@bugs.debian.org

Subject: Bug#500781: fixed in mercurial 1.0.1-5.1

Date: Sat, 04 Oct 2008 11:02:07 +0000

Source: mercurial
Source-Version: 1.0.1-5.1

We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive:

mercurial-common_1.0.1-5.1_all.deb
  to pool/main/m/mercurial/mercurial-common_1.0.1-5.1_all.deb
mercurial_1.0.1-5.1.diff.gz
  to pool/main/m/mercurial/mercurial_1.0.1-5.1.diff.gz
mercurial_1.0.1-5.1.dsc
  to pool/main/m/mercurial/mercurial_1.0.1-5.1.dsc
mercurial_1.0.1-5.1_amd64.deb
  to pool/main/m/mercurial/mercurial_1.0.1-5.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 500781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mercurial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 03 Oct 2008 16:25:13 +0200
Source: mercurial
Binary: mercurial mercurial-common
Architecture: source all amd64
Version: 1.0.1-5.1
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 mercurial  - Scalable distributed version control system
 mercurial-common - Scalable distributed version control system (Common files)
Closes: 500781
Changes: 
 mercurial (1.0.1-5.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Honor allowpull configuration setting from hgrc on a repository clone to
     prevent information disclosure (CVE-2008-4297; Closes: #500781).
Checksums-Sha1: 
 c7e437c3f0bf9b21648edea716f9439613cb9eb3 1424 mercurial_1.0.1-5.1.dsc
 d40bae35f665d1c9329eb3a841c89e4e6bb74197 27009 mercurial_1.0.1-5.1.diff.gz
 0d388ea0617978782057cfbcda5d6d97d42c013f 476844 mercurial-common_1.0.1-5.1_all.deb
 f0a1ed6aa66b352dabb90bf13719ed45001145de 93438 mercurial_1.0.1-5.1_amd64.deb
Checksums-Sha256: 
 98b4701fdfb5deb95d3ca26af655246292e02a433f3d97ed4b1974fc705fa549 1424 mercurial_1.0.1-5.1.dsc
 5bffd7e5dd052e2fdf6365bde70829aa547e079fa51b7d40c84403197618dc73 27009 mercurial_1.0.1-5.1.diff.gz
 8b636c8bae0fa5823b30ced7302cda6c5a76c62e13bfefc4a89e8a89ef1a5a64 476844 mercurial-common_1.0.1-5.1_all.deb
 f5f8ad256dc724e33dc3817c293130c468fd5f2d37460c30860b9e99145efb0e 93438 mercurial_1.0.1-5.1_amd64.deb
Files: 
 56eca9b1f9ae4e68a2712e2b9954fd86 1424 devel optional mercurial_1.0.1-5.1.dsc
 ab5b4a29776cd2ae44eb16c1d8b1b45b 27009 devel optional mercurial_1.0.1-5.1.diff.gz
 b67f1538d937751df454120758efaecd 476844 devel optional mercurial-common_1.0.1-5.1_all.deb
 52653ce57cebb4b67f8ebd2ce9419345 93438 devel optional mercurial_1.0.1-5.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjnSMMACgkQHYflSXNkfP+rjQCglHGYc76CDTkZml2AISoOY7fI
2bsAnAxQ/x1Jp/5KzR7SVR7R2JjOVDaX
=Xcbx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.