Debian Bug report logs -
#861243
mercurial: CVE-2017-9462: allows remote users unauthorized access to a hg serve --stdio instance
Reported by: Ethan Blanton <elb@lami.fiji-systems.com>
Date: Wed, 26 Apr 2017 13:45:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions mercurial/4.0-1, mercurial/2.2.2-4, mercurial/3.1.2-2, mercurial/3.1.2-2+deb8u3
Fixed in version mercurial/4.3.1-1
Done: Tristan Seligmann <mithrandi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#861243; Package mercurial.
(Wed, 26 Apr 2017 13:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ethan Blanton <elb@lami.fiji-systems.com>:
New Bug report received and forwarded. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Wed, 26 Apr 2017 13:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mercurial
Version: 3.1.2-2+deb8u3
Severity: important
Dear Maintainer,
All versions of Mercurial prior to 4.1.3 have a bug in
'hg serve --stdio' which can allow remote users access to the Python
debugger, from where they have nearly complete access to the local
system. For systems serving Mercurial repositories via ssh, this
could allow unauthorized access to the serving account.
The release notes for 4.1.3 can be found here:
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
No Debian repository currently ships 4.1.3 or appears to ship any
version of Mercurial with this bug patched.
-- System Information:
Debian Release: 8.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mercurial depends on:
ii libc6 2.19-18+deb8u7
ii mercurial-common 3.1.2-2+deb8u3
ii python 2.7.9-1
ii ucf 3.0030
Versions of packages mercurial recommends:
ii openssh-client 1:6.7p1-5+deb8u3
Versions of packages mercurial suggests:
pn kdiff3 | kdiff3-qt | kompare | meld | tkcvs | mgdiff <none>
pn qct <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#861243; Package mercurial.
(Tue, 06 Jun 2017 15:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Wagner Bruna <wbruna@yahoo.com>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Tue, 06 Jun 2017 15:57:06 GMT) (full text, mbox, link).
Message #10 received at 861243@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 861243 + security fixed-upstream patch
found 861243 4.0-1
thanks
The upstream fix is:
https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
A few unrelated changes prevent it from applying cleanly to 4.0 (541949a10a68, d83ca854fa21) and 3.1.2 (2b9cda9040f7), so I've prepared corrected patches.
Best regards,
Wagner
[Message part 2 (text/html, inline)]
[fix_861243_hg_3.1.2.patch (application/x-download, attachment)]
[fix_861243_hg_4.0.patch (application/x-download, attachment)]
Added tag(s) fixed-upstream, patch, and security.
Request was from Wagner Bruna <wbruna@yahoo.com>
to control@bugs.debian.org.
(Tue, 06 Jun 2017 15:57:07 GMT) (full text, mbox, link).
Marked as found in versions mercurial/4.0-1.
Request was from Wagner Bruna <wbruna@yahoo.com>
to control@bugs.debian.org.
(Tue, 06 Jun 2017 15:57:08 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Jun 2017 18:57:03 GMT) (full text, mbox, link).
Marked as found in versions mercurial/3.1.2-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Jun 2017 18:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#861243; Package mercurial.
(Tue, 06 Jun 2017 20:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Wagner Bruna <wbruna@yahoo.com>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Tue, 06 Jun 2017 20:09:07 GMT) (full text, mbox, link).
Message #23 received at 861243@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 861243 2.2.2-4
thanks
[fix_861243_hg_2.2.2.patch (text/x-patch, attachment)]
Marked as found in versions mercurial/2.2.2-4.
Request was from Wagner Bruna <wbruna@yahoo.com>
to control@bugs.debian.org.
(Tue, 06 Jun 2017 20:09:09 GMT) (full text, mbox, link).
Changed Bug title to 'mercurial: CVE-2017-9462: allows remote users unauthorized access to a hg serve --stdio instance' from 'mercurial: Mercurial before 4.1.3 has a bug which allows remote users unauthorized access to a hg serve --stdio instance'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 07 Jun 2017 04:27:03 GMT) (full text, mbox, link).
Reply sent
to Tristan Seligmann <mithrandi@debian.org>:
You have taken responsibility.
(Fri, 11 Aug 2017 10:21:04 GMT) (full text, mbox, link).
Notification sent
to Ethan Blanton <elb@lami.fiji-systems.com>:
Bug acknowledged by developer.
(Fri, 11 Aug 2017 10:21:04 GMT) (full text, mbox, link).
Message #32 received at 861243-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 4.3.1-1
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861243@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tristan Seligmann <mithrandi@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Aug 2017 05:00:16 +0200
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source
Version: 4.3.1-1
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Tristan Seligmann <mithrandi@debian.org>
Description:
mercurial - easy-to-use, scalable distributed version control system
mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 861243 868014 871709 871710
Changes:
mercurial (4.3.1-1) unstable; urgency=high
.
* Urgency high because of important security fixes.
* New upstream release (closes: #868014).
- CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior
to 4.3, and could be abused to write to files outside the
repository (closes: #871709).
- CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
ssh, allowing shell injection attacks by specifying a hostname
starting with -oProxyCommand (closes: #871710).
- CVE-2017-9462: previously fixed in 4.1.3 upstream (closes: #861243).
* Blacklist test-https.t due to TLS 1.0/1.1 being disabled in OpenSSL in
unstable.
* Fix license definitions in debian/copyright.
* Bump Standards-Version to 4.0.0 (no changes).
* Run wrap-and-sort -t -s.
Checksums-Sha1:
57dc975c17618107ecb3d528e3fd861ea444b13f 2225 mercurial_4.3.1-1.dsc
06cde0a5d555d5c62bb7f791409fd91910c28553 5475042 mercurial_4.3.1.orig.tar.gz
75081b06541acd75272849b335ace0b956bfdc3e 54052 mercurial_4.3.1-1.debian.tar.xz
f4c8f729dd7902939cdb4bb9960193f7fac53ead 6564 mercurial_4.3.1-1_source.buildinfo
Checksums-Sha256:
5f8e9e8ba017f4a4fac3895dad636457c91b69ff4eab0193ad8b46736b351133 2225 mercurial_4.3.1-1.dsc
2b12f02e3a452adff4ec9cf007017bab0cadb3f37eaf12f4b25a662df73618a2 5475042 mercurial_4.3.1.orig.tar.gz
451bbaf7dca2d99c2c2eb18a4e275f06b7abf5f5784b08d3caf045d38d5b1832 54052 mercurial_4.3.1-1.debian.tar.xz
c4731ef459b2c8c5052e1ddd3340ed1a50a3f45b527f519be7a9cc10ea813faf 6564 mercurial_4.3.1-1_source.buildinfo
Files:
b597cc62d5e567d9f08dad59d0e0ab64 2225 vcs optional mercurial_4.3.1-1.dsc
b9cbdcf0bd41a2b385b35b9fbfeb0eea 5475042 vcs optional mercurial_4.3.1.orig.tar.gz
3d5ba7aa476ab96bbcb55cb4094786af 54052 vcs optional mercurial_4.3.1-1.debian.tar.xz
e72925b9e61deb79b06af897182a98c6 6564 vcs optional mercurial_4.3.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQGpBAEBCgCTFiEEXAZWhXVRbQoz/6ejwImQ+x9jeJMFAlmNgVBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVD
MDY1Njg1NzU1MTZEMEEzM0ZGQTdBM0MwODk5MEZCMUY2Mzc4OTMVHG1pdGhyYW5k
aUBkZWJpYW4ub3JnAAoJEMCJkPsfY3iT+RgIAK/PRNDVfhalbNjeY3e4pQUslNeD
NOuUoi7ViMfpPUnmkLy4N+TFNm6yj52o0e/RUSB6qS6KumfybIYnMnifIzxbip4U
YNKrl5drg2CHZYgTrfG+cHJEDKHiibbH2yZ0m0zqcKqxpEJKAPZLekCmLgy4bAi4
4iPYlXKEugRaiyCx2yteoaqDp1fPrpE4yhZCYUqH6YayLwSWeYo4ViGGGxQwOE7G
wRlUSSXIy9mZEhj3DJwgWgtKJQrYIV1mwWatB8ObzSzn0ArVMO/VukyL7rbsRNUY
fWzC8eh6Hs2GlU0pNaeV6SxHOPXfTqvwvFcFuf80wv0CdxZaCXLZOyXNEok=
=Nttf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Jun 2019 08:00:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:36:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon