Bug 15590

Summary: mercurial new security issue CVE-2014-9462
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: makowski.mageia, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/638441/
Whiteboard: has_procedure advisory MGA4-64-OK
Source RPM: mercurial-3.1.1-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-30 15:42:54 CEST 
OpenSuSE has issued an advisory on March 27:
http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html

The OpenSuSE update fixes the CVE-2014-9462 issue, which corresponds to this entry in the upstream 3.2.4 changelog:
"sshpeer: more thorough shell quoting"

http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.4_.282015-01-01.29

As I previously mentioned:
https://bugs.mageia.org/show_bug.cgi?id=14849#c2

There was also a fix for CVE-2014-9390 in 3.2.3 (granted it doesn't really affect Linux).

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-30 15:43:11 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Philippe Makowski 2015-03-31 22:43:47 CEST 
For Mageia4 :
From mercurial-2.7.2-3.1.mga4.src

mercurial-2.7.2-3.1.mga4.i586
mercurial-2.7.2-3.1.mga4.x86_64
mercurial-debuginfo-2.7.2-3.1.mga4.x86_64
mercurial-debuginfo-2.7.2-3.1.mga4.i586

For Mageia5 freeze push asked for :
From mercurial-3.1.1-5.mga5.src

mercurial-3.1.1-5.mga5.i586
mercurial-3.1.1-5.mga5.x86_64
mercurial-debuginfo-3.1.1-5.mga5.x86_64
mercurial-debuginfo-3.1.1-5.mga5.i586
Comment 2 David Walser 2015-03-31 22:56:14 CEST 
Looks like we'll just be fixing CVE-2014-9462 and not CVE-2014-9390.  That's OK.

Summary: mercurial new security issue CVE-2014-9390 and CVE-2014-9462 => mercurial new security issue CVE-2014-9462

Comment 3 David Walser 2015-04-01 15:52:57 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Package list in Comment 1.

Advisory:
========================

Updated mercurial packages fix security vulnerability:

The mercurial source code management system suffers from a code-injection
flaw due to insufficient shell quoting in sshpeer._validaterepo()
(CVE-2014-9462).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9462
http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html

CC: (none) => makowski.mageia
Version: Cauldron => 4
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 olivier charles 2015-04-01 22:52:40 CEST 
Testing on Mageia4x64 real hardware, following tutorial found at : http://mercurial.selenic.com/wiki/TutorialInstall
I did not find any PoC

From current package :
---------------------

mercurial-2.7.2-3.mga4

$ hg version
Mercurial Distributed SCM (version 2.7.2)
(...)

In my home directory,

$ nano .hgrc
[ui]
username = olivier_cc <olivier@gmail.com>
ssh = ssh -C

$ mkdir tmp tmp/repo
$ cd tmp/repo/
$ hg init
$ ls -a
./  ../  .hg/
$ hg clone http://www.selenic.com/repo/hello my-hello
requesting all changes
adding changesets
adding manifests
adding file changes
added 2 changesets with 2 changes to 2 files
updating to branch default
2 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ ls -a  my-hello/
./  ../  hello.c  .hg/  Makefile
$ rm -rf my-hello/

Verified I could use the clone command over ssh from a repository located on my network :
$ hg clone ssh://pi@192.168.0.15/tmp/repo/my-hello my-hello
pi@192.168.0.15's password: 
requesting all changes
adding changesets
adding manifests
adding file changes
added 2 changesets with 2 changes to 2 files
updating to branch default
2 files updated, 0 files merged, 0 files removed, 0 files unresolved

Went on tutorial to test history, making change, commit changeset (hg status, hg diff, hg revert, hg ci, hg par...)

All OK

Removed ~/tmp

To updated testing package :
--------------------------
mercurial-2.7.2-3.1.mga4

Reproduced same procedure.

All OK

CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK

Comment 5 claire robinson 2015-04-03 14:11:04 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK => has_procedure advisory MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-04-03 15:12:09 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0129.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED