Debian Bug report logs -
#819504
mercurial: CVE-2016-3068 CVE-2016-3069 CVE-2016-3630
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 29 Mar 2016 19:36:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions mercurial/3.7.2-2, mercurial/0.6-1
Fixed in versions mercurial/3.7.3-1, mercurial/3.1.2-2+deb8u2, mercurial/2.2.2-4+deb7u2
Done: Julien Cristau <jcristau@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#819504; Package src:mercurial.
(Tue, 29 Mar 2016 19:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Tue, 29 Mar 2016 19:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Version: 3.7.2-2
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for mercurial.
CVE-2016-3068[0]:
arbitrary code execution with Git subrepos
CVE-2016-3069[1]:
arbitrary code execution when converting Git repos
CVE-2016-3630[2]:
remote code execution in binary delta decoding
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3068
[1] https://security-tracker.debian.org/tracker/CVE-2016-3069
[2] https://security-tracker.debian.org/tracker/CVE-2016-3630
[3] https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#819504; Package src:mercurial.
(Tue, 29 Mar 2016 20:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Tue, 29 Mar 2016 20:09:04 GMT) (full text, mbox, link).
Message #10 received at 819504@bugs.debian.org (full text, mbox, reply):
Control: found -1 0.6-1
On Tue, Mar 29, 2016 at 21:34:20 +0200, Salvatore Bonaccorso wrote:
> Source: mercurial
> Version: 3.7.2-2
> Severity: grave
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerabilities were published for mercurial.
>
> CVE-2016-3068[0]:
> arbitrary code execution with Git subrepos
>
> CVE-2016-3069[1]:
> arbitrary code execution when converting Git repos
>
> CVE-2016-3630[2]:
> remote code execution in binary delta decoding
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-3068
> [1] https://security-tracker.debian.org/tracker/CVE-2016-3069
> [2] https://security-tracker.debian.org/tracker/CVE-2016-3630
> [3] https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
>
> Please adjust the affected versions in the BTS as needed.
>
19:25:27 < SpComb> is there a lower bound on old versions affected by CVE-2016-3630?
19:25:50 <@mpm> Roughly... 0.6
Javi: I already told Salvatore on IRC, but I should be able to make some
time tomorrow to prepare updates for sid/jessie/wheezy if that would
help; just let me know.
Cheers,
Julien
Marked as found in versions mercurial/0.6-1.
Request was from Julien Cristau <jcristau@debian.org>
to 819504-submit@bugs.debian.org.
(Tue, 29 Mar 2016 20:09:04 GMT) (full text, mbox, link).
Marked as fixed in versions mercurial/3.7.3-1.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org.
(Wed, 30 Mar 2016 11:27:08 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org.
(Wed, 30 Mar 2016 11:27:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 30 Mar 2016 11:27:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#819504; Package src:mercurial.
(Wed, 30 Mar 2016 11:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Wed, 30 Mar 2016 11:33:03 GMT) (full text, mbox, link).
Message #23 received at 819504@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Mar 29, 2016 at 21:34:20 +0200, Salvatore Bonaccorso wrote:
> the following vulnerabilities were published for mercurial.
>
> CVE-2016-3068[0]:
> arbitrary code execution with Git subrepos
>
> CVE-2016-3069[1]:
> arbitrary code execution when converting Git repos
>
> CVE-2016-3630[2]:
> remote code execution in binary delta decoding
>
Hi,
here's a diff for jessie, modulo s/UNRELEASED/jessie-security/ in the
changelog. OK to upload to security-master?
I'll work on wheezy next.
Cheers,
Julien
[mercurial_jessie.diff (text/x-diff, attachment)]
Reply sent
to Julien Cristau <jcristau@debian.org>:
You have taken responsibility.
(Fri, 08 Apr 2016 09:51:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Apr 2016 09:51:26 GMT) (full text, mbox, link).
Message #28 received at 819504-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 3.1.2-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 819504@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Apr 2016 15:41:22 +0200
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source all amd64
Version: 3.1.2-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
mercurial - easy-to-use, scalable distributed version control system
mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 819504
Changes:
mercurial (3.1.2-2+deb8u2) jessie-security; urgency=high
.
* CVE-2016-3630:
+ parsers: fix list sizing rounding error
+ parsers: detect short records
* CVE-2016-3068:
+ subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols
* CVE-2016-3069:
+ convert: add new, non-clowny interface for shelling out to git
+ convert: rewrite calls to Git to use the new shelling mechanism
+ convert: dead code removal - old git calling functions
+ convert: rewrite gitpipe to use common.commandline
+ convert: test for shell injection in git calls
Closes: #819504
Checksums-Sha1:
18764a7b25256dc7b1412ddc7ea3a444dd6e2c34 2273 mercurial_3.1.2-2+deb8u2.dsc
df69dd5b4b561241c6c70d6a3cc7faaf1932d96a 53104 mercurial_3.1.2-2+deb8u2.debian.tar.xz
c08b338aa119e4e50f6665dc2bff6a61786d8435 1601038 mercurial-common_3.1.2-2+deb8u2_all.deb
09dd4187518be64d6f3a0cfbc2a303bcb9225737 59998 mercurial_3.1.2-2+deb8u2_amd64.deb
Checksums-Sha256:
a9f0e92d27935a0bdcf418260cd1d31552e311cbcf3a7112bc8ada24f73e6927 2273 mercurial_3.1.2-2+deb8u2.dsc
7d3c9f6b221605e129f2476c86017b4bb47048c4587e8376888d18d80ef196b0 53104 mercurial_3.1.2-2+deb8u2.debian.tar.xz
52c1e914ca57743c5e331f6308d0bff755c446b21e86491ca9f3339d26dfa643 1601038 mercurial-common_3.1.2-2+deb8u2_all.deb
bcd724239c207424520a871956663bd55dffff265e1ad5b93dd91aefdaa2df6e 59998 mercurial_3.1.2-2+deb8u2_amd64.deb
Files:
3e98ecc94ceed22414f308977c5c33ce 2273 vcs optional mercurial_3.1.2-2+deb8u2.dsc
09443346fcd32df0e48d42c0d9e9fbb7 53104 vcs optional mercurial_3.1.2-2+deb8u2.debian.tar.xz
0178734936ac3e7c0da633b8826cdf2b 1601038 vcs optional mercurial-common_3.1.2-2+deb8u2_all.deb
06da0420aa8c640110c603fbb63429f2 59998 vcs optional mercurial_3.1.2-2+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXAuJgAAoJEJ2wI1VW+M+tCyMP/2KTVmxqxwThvcnOjxfL0Dvx
2uqgZTbnlyeuPt5R65x0lCIUiRKjFjb0ESM+pBr7MnlCOvlRDC1dFkWaDPjfKm7G
UD9CnoAlx09Lg6jWm/loHFWuJH42O5Pa0WeLi8DZN8QCPZcXQRc116lbbsumdhmy
ivjGj+PhB3T/dU2hPARqjvhuQSTSVIOF2NjWpNEUe2/B/oXakR0lqNVkKe+Ds3Eg
9VoDUo6wL01Tskg/mC+3kgYtpogs3mSBoxeM60z3OT3z/snw5W7OE3/uRUY0qXq/
R5b9t1eCT0wAzTSHIRVL2h4HJrZaunv/rNgV0xU3epn59dAaM3eljsgbvZ0+AGTQ
3K4iN/8ooH1womB07t844OUeLV4oANCj3pRhiBS78IRoTB52NoI8HkjI9CXKKhK8
HVVjPNNgoknI9kVg+fv2Cnj0+M2bV73fuGkdDaNy6NVpcHsTKyoQDmP2kvAJboIe
cJE/wYxsyhk33QiJbSuy8w3AbPcTT9yX9wPQ71BFNsoAmwNwo3yylkH5jTffuQFA
W7eAxWQm4N0GSA9Tf0w9LAzy4ap1t/zRJIuwFsrCG5VEcdHha1nuEGJSxPsMOSPp
pOKe/mVLySk8qoUeTQmNaYfp6CMgO7JRcwc1H8SjG8rymD6YkQTEhAsJlhvlrbbR
plaFMeeQpGOrbvKlTR4P
=8x3e
-----END PGP SIGNATURE-----
Reply sent
to Julien Cristau <jcristau@debian.org>:
You have taken responsibility.
(Fri, 08 Apr 2016 09:51:31 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Apr 2016 09:51:32 GMT) (full text, mbox, link).
Message #33 received at 819504-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 2.2.2-4+deb7u2
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 819504@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Apr 2016 22:51:48 +0200
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source all amd64
Version: 2.2.2-4+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
mercurial - easy-to-use, scalable distributed version control system
mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 819504
Changes:
mercurial (2.2.2-4+deb7u2) wheezy-security; urgency=high
.
* CVE-2016-3630:
+ mpatch: rewrite pointer overflow checks (prerequisite for the following)
+ parsers: fix list sizing rounding error
+ parsers: detect short records
* CVE-2016-3068:
+ subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols
* CVE-2016-3069:
+ convert: add new, non-clowny interface for shelling out to git
+ convert: rewrite calls to Git to use the new shelling mechanism
+ convert: dead code removal - old git calling functions
+ convert: rewrite gitpipe to use common.commandline
+ convert: test for shell injection in git calls
Closes: #819504
Checksums-Sha1:
312521447cfbf886d168441b61df63c2202efd0b 2164 mercurial_2.2.2-4+deb7u2.dsc
2454b00f21ac9676da89600b004bae0e294d5d7a 50657 mercurial_2.2.2-4+deb7u2.debian.tar.gz
4713d1438c1f4ed810089ade7a8c662df0bbdf51 2324960 mercurial-common_2.2.2-4+deb7u2_all.deb
15332c9fdb6439d7974c12cdb29d47b2d06617cd 93336 mercurial_2.2.2-4+deb7u2_amd64.deb
Checksums-Sha256:
7e7f259ce8b9690d5e7ff1b5d6c9fb8bdc32daef412f3bfa876a8d02782d8d39 2164 mercurial_2.2.2-4+deb7u2.dsc
765a1c55b1f44ee21c22d3defa5499499199888145bb4d0ba724e83fd95235fb 50657 mercurial_2.2.2-4+deb7u2.debian.tar.gz
4fc801b8c827d9ad7d2f2de6fe46fc3b4b85680eda6283544cc8208607390d10 2324960 mercurial-common_2.2.2-4+deb7u2_all.deb
726874d1d91fd78e91e3a81faf58675292d4d64a51b24897816bec3622bdf5f8 93336 mercurial_2.2.2-4+deb7u2_amd64.deb
Files:
effd7642cb0a60494740790fb81ff436 2164 vcs optional mercurial_2.2.2-4+deb7u2.dsc
06c072a5f1be9a71eb53fc82af782f1e 50657 vcs optional mercurial_2.2.2-4+deb7u2.debian.tar.gz
4d5de4fb9280473937204150504ddaaa 2324960 vcs optional mercurial-common_2.2.2-4+deb7u2_all.deb
1ce86af92568a418bddf9db911f01eed 93336 vcs optional mercurial_2.2.2-4+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXAvE+AAoJEJ2wI1VW+M+tuGwQAIOumNfqB/jEqxvYY6cpdw1o
qIZoYp01CIcAptg+sSfGoYjFUUGtB6AJJiot3lEMm0BB/D+LfqpxewyyqIq/mwlR
tk9AIOfb/oaFP7QzOgKYBolqdYdWF0njXzV5xnGMOUjJh+9lE2dvgULnLVY/7Fa8
FfzMbO8YYvVYE9PDAERZoi+GTD65uzzNJCHo5GkXCWl58Z1hIi7HZux21nNw5XDX
3RI4RT8bCoj5bGEp7Be6R/PiuvUsWCF9f6+ShV2aDvFOSCZXW4iGETffN8EX4yr/
TXL5uG6NBi1FT9cajupLSr7s/A+RoBkyPc5fR1mJOu7nxVANJkU8Sg6btADBWqY2
qYEo2xSxF+QDdPh0DAlOWyHYm6leJRwhJH547POL0Obn7x6kftfqCzKv3AylvK1D
1FPuVdQsGF9Ut+ItNCg9FC0f2rypjIu6cvBnsXkzp2RVFcNwYD2o7CXEYWD0Ws2i
Nn6EYEFWXThMl9pxJLA/juRDV8aZkOGmKh414gKhRn5ZSjohdluaJcrrLrqVYQJk
093+t6cG80RpPB5U0+0MhXWuSAftJur++gdQyJ3U7vwqENoKVJpACWwa/PNo1tfx
uQ/SEaFNb61RzZrtJjxsmpjU10mm1ovBLvi8yZwfKbZY4/naAWRMXEn1+mjPPawh
4xVFpje1/6L7+gVkM2ZI
=Wn53
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 Jun 2016 07:25:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:53:38 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon