| Summary: | mercurial new security issue fixed upstream in 4.1.3 (CVE-2017-9462) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | mercurial-4.1.2-1.mga6.src.rpm | CVE: | CVE-2017-9462 |
| Status comment: | |||
| Attachments: | testing procedure | ||
|
Description
David Walser
2017-05-13 21:02:13 CEST
updated in cauldron Resolution:
(none) =>
FIXED openSUSE has issued an advisory for this on June 13: https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00007.html They identified this issue as CVE-2017-9462. Apparently it affects older versions too. Resolution:
FIXED =>
(none) Advisory: ======================== Updated mercurial package fixes security vulnerabilities: In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9462 https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00007.html https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29 ======================== Updated packages in core/updates_testing: ======================== mercurial-3.1.1-5.3.mga5 from mercurial-3.1.1-5.3.mga5.src.rpm Status:
REOPENED =>
ASSIGNED
Dave Hodgins
2017-06-18 08:09:29 CEST
CC:
(none) =>
davidwhodgins MGA5-32 on Asus A6000VM Xfce No installation issues. Did the test on this single machine, following procedure in bug18366 Comment 8 with two remarks: 1. Len forgot to copy another clone command that is needed before the line "cd my-hello-new-output" needed is "$ hg clone my-hello my-hello-new-output" 2. The original mercurial tutorial has been moved to: https://www.mercurial-scm.org/wiki/Tutorial Test OK for me. I will copy my CLI history to a file and attach it to this bug. CC:
(none) =>
herman.viaene Created attachment 9428 [details]
testing procedure
Many thanks to Herman for posting the long test procedure - the attachment Comment 6. Testing Mageia 5 x64 Installed initially from issued repos: mercurial-3.1.1-5.2.mga5 I started to run through the test, but ran into some glitches:- 1. The original test path given in: https://bugs.mageia.org/show_bug.cgi?id=15590#c4 starts by creating file '~/.hgrc'; DO THIS FIRST. [ui] username = someUsername <someEmail@address> ssh = ssh -C without which (at least the 'username' line) the commit 'hg ci' does not work. 2. ├── tmp │ ├── repo │ │ ├── my-hello │ │ ├── my-hello-new-output │ │ └── my-hello-share/hello.c The note "added new printf command in hello.c" refers to an arbitrary edit to this file to create a change. If you use vi, it may leave a backup copy 'hello.c~' which confuses things thereafter. 3. Unexpectedly, the '$ hg ci' command opens a vi window where you have to insert at the start (vi syntax, 'i' etc) a commit message. Be careful; if you do something wrong, you get into deep water and cannot re-do it. 4. The "hg revert hello.c" line lacks its leading '$' so you might overlook that it is a command to do. It is, & not a comment. 5. At the end, you may want to tidy up; from HOME: $ rm -rf tmp/repo UPDATED to: mercurial-3.1.1-5.3.mga5 Heeding these cautions, the given procedure worked exactly as described. Phew! OK and validating. Whiteboard:
advisory MGA5-32-OK =>
advisory MGA5-32-OK MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0182.html Resolution:
(none) =>
FIXED |