Bug 18363

(In reply to Nic Baxter from comment #0)
> This update fixes possible arbitrary code execution when converting Git
> repos. Mercurial prior to 3.8 allowed arbitrary code execution when using
> the convert extension on Git repos with hostile names. This could affect
> automated code conversion services that allow arbitrary repository names.
> This is a further side-effect of Git CVE-2015-7545. Reported and fixed by
> Blake Burkhart.
> 
> This has been fixed in mercurial-3.8.1-1 i586/x86_64 Cauldron but not in
> mga5 which has mercurial-3.1.1-5.1 in updates

Assigning to Mercurial maintainer

CC: (none) => marja11
Assignee: bugsquad => makowski.mageia
Summary: mercurial: code execution => mercurial: code execution (CVE-2016-3105)

I put here the link to Debian page about this CVE :
https://security-tracker.debian.org/tracker/CVE-2016-3105

And the patch in Mercurial upstream repo https://selenic.com/hg/rev/a56296f55a5e

My real question here is should the patched version be pushed mga5?

Updated packages uploaded for Mageia 5

Advisory:
========================

Updated mercurial packages fix security vulnerabilities:

This update fixes possible arbitrary code execution when converting Git repos. Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545. Reported and fixed by Blake Burkhart. 


References:
- https://access.redhat.com/security/cve/CVE-2016-3105
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3105
- https://selenic.com/hg/rev/a56296f55a5e


Updated packages in core/updates_testing:
========================
mercurial-3.1.1-5.2.mga5.x86_64
mercurial-3.1.1-5.2.mga5.i586

from mercurial-3.1.1-5.2.mga5.src.rpm

Assignee: makowski.mageia => qa-bugs

Procedure: https://bugs.mageia.org/show_bug.cgi?id=15590#c4

Whiteboard: (none) => has_procedure

x86_64

Shall test this with Olivier's procedure.

CC: (none) => tarazed25

Created a local repository and then cloned it on another node on the LAN.  Added a file and ran commit after editing the config file to name a user.

Checked out a few of the commands in the help list.

Updated to mercurial-3.1.1-5.2.mga5.  Removed the old repositories and worked through the testing procedure again and did the same on another machine.  On the other machine
cloned the my-hello branch from the main test machine.

$ hg version
Mercurial Distributed SCM (version 3.1.1)
$ hg clone ssh://lcl@belexeuli/tmp/repo/my-hello my-hello
<password>
requesting all changes
adding changesets
.......

$ hg clone my-hello my-hello-share
updating to branch default
2 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ cd my-hello-share
$ hg -q tip
1:82e55d328c8c
$ cd my-hello-new-output
$ edit hello.c
[1] 18727
$ hg st
M hello.c
$ hg diff
diff -r 82e55d328c8c hello.c
--- a/hello.c	Fri Aug 26 01:21:28 2005 -0700
+++ b/hello.c	Thu May 12 15:16:26 2016 +0100
@@ -12,5 +12,6 @@
 int main(int argc, char **argv)
 {
 	printf("hello, world!\n");
+	printf( "This one is easy but time consuming\n" );
 	return 0;
 }
$ hg revert hello.c
[lcl@belexeuli my-hello-new-output]$ hg st
? hello.c.orig
$ mv hello.c.orig hello.c
$ hg st
M hello.c
// 'check in' editor
$ hg ci
Having a grumble 
HG: Enter commit message.  Lines beginning with 'HG:' are removed.
HG: Leave message empty to abort commit.
HG: 
HG: user: Len Lawrence <tarazed25@gmail.com>
HG: branch 'default'
HG: changed hello.c
$ hg par
changeset:   2:df085f900c01
tag:         tip
user:        Len Lawrence <tarazed25@gmail.com>
date:        Thu May 12 15:28:40 2016 +0100
summary:     Having a grumble
$ cd ../my-hello-share
$ hg pull ../my-hello-new-output
pulling from ../my-hello-new-output
searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
(run 'hg update' to get a working copy)
$ hg up
1 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg pull ../my-hello-new-output
pulling from ../my-hello-new-output
searching for changes
no changes found
$ hg push ../my-hello-new-output
pushing to ../my-hello-new-output
searching for changes
no changes found
// Now export the changeset
$ hg export tip
# HG changeset patch
# User Len Lawrence <tarazed25@gmail.com>
# Date 1463063320 -3600
#      Thu May 12 15:28:40 2016 +0100
# Node ID df085f900c01d643d6cf205507869d6bcec6dcf2
# Parent  82e55d328c8ca4ee16520036c0aaace03a5beb65
Having a grumble

diff -r 82e55d328c8c -r df085f900c01 hello.c
--- a/hello.c	Fri Aug 26 01:21:28 2005 -0700
+++ b/hello.c	Thu May 12 15:28:40 2016 +0100
@@ -12,5 +12,6 @@
 int main(int argc, char **argv)
 {
 	printf("hello, world!\n");
+	printf( "This one is easy but time consuming\n" );
 	return 0;
 }

I reckon this is enough for validation.  Everything works as expected.

If it is important to test this for i586 I can load it into my vbox and clone a repository from a 64-bit machine on the LAN.  It will have to wait though.

We'll validate most things with one arch tested Len, to keep updates moving. Ones which we need to be more cautious with are hardware related or anything low level and intrinsic to the system eg. rpm.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0172.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED